Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:22
General
-
Target
874e214748f0e28499d0c58f567cef2cb53d85f2b2d15eb1732e6cefa1619aa1.exe
-
Size
844KB
-
MD5
dd79f76c6f8b55db437c873434e0e1a3
-
SHA1
7e8b727e9d37c9b908c04b2c9a5dba254ce33271
-
SHA256
874e214748f0e28499d0c58f567cef2cb53d85f2b2d15eb1732e6cefa1619aa1
-
SHA512
94d6c80a3c3cf76b2acd7c2fbc57f19b53c0285377194cc5ae600bd34c9833fcb463e90aa5469ce143adff101615b07c16b34131a09da6316ed14e8f154fc520
-
SSDEEP
24576:LyEtVj7QDKA7vQZEKW2bIg0m2f3jCO3v2sZi:+eVj7gL8ZW2bIg05f3jdZ
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\874e214748f0e28499d0c58f567cef2cb53d85f2b2d15eb1732e6cefa1619aa1.exe"C:\Users\Admin\AppData\Local\Temp\874e214748f0e28499d0c58f567cef2cb53d85f2b2d15eb1732e6cefa1619aa1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\liba9675.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\liba9675.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\liba7526.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\liba7526.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5766lk.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5766lk.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g52EW92.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g52EW92.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 10765⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\heuYM77.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\heuYM77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3800 -ip 38001⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5f530da517f5bace1964908563ea5eab5
SHA122d7ff587dceda7070ac3dc5e0c41dd0504f29c6
SHA256009c93fa8a36931a77e16eeb4a12120532b68a931a4ab6625ebe0e8381c6fddd
SHA5127f5daab635618be0220afdd5bc15cbbd73d8a2ba7c9b06a8a13bd0bc386fc0d1087f20d8c7e301b1b9d343412404689623866d2c7e9bcf51b323a94c8d83e4e5
-
Filesize
396KB
MD5d5df8a4d2309e934e9dcafaf6488de50
SHA15d64fcac7f6ca8fc1c298a83a1f0c8539b0adf34
SHA2565a73856215e5e9a07f5bab92c4f5d8897767f0f76b121a21d71543154154298c
SHA51229ec65010ab5e5341c780e00762ca1225d7fc21dbe1263442b5f36a59bd0397ed2db4a9f6e1e580b22f0eb54e016f3dac9a3f66afba6a7729964ceae19a5eabd
-
Filesize
348KB
MD58e5cea42980e015ba873023950bc6bf6
SHA1575ec270978db4119fbc5fdb3071a33650c97a13
SHA256f101a771495e81a8bf96c5ccde0dbc59fb51c9902ff1fb4c8e6d97e87de9699b
SHA51223d57aba017cbb3338813c8c12d7b7696974c62478f93164c042117cbe16d943a650a8dea5bf5833eba258f35782f7b64b33d71f5a0b32479539383e2619f7cb
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
338KB
MD5337177d5b9f4527c6c48fa7efbfc9412
SHA1044e98a40b2e6b6e3fe9ff9aef9c18f3a7100d49
SHA25693a7fb9e395c4091327d7ab233c548d03d4bbde0784310e1b55429466a05d70d
SHA51256621ca993ed2df115ec50f80284f9658d3cb062e73c596a2d482f74dd9a4f4a32e19cf0b666a7dd29494f07a6e449d948f2b2e532a38a16a1d71085dca32345
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
39.0MB
-
Filesize
39.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB