Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 08:25
General
-
Target
7ffb77bccc11b2d7ee389a34d5c2f08f04482b6f122174fe5320b14079c03c24.exe
-
Size
844KB
-
MD5
6fd7c5dc5443c109f7406a89a42e63ee
-
SHA1
4f0b6a0a98433cb76678897ab6ef3ddaa6b17d5c
-
SHA256
7ffb77bccc11b2d7ee389a34d5c2f08f04482b6f122174fe5320b14079c03c24
-
SHA512
d436a6e7fd2d2e435d2d1829f4c61e0619a4d218aafb76f602bdf5a3464dcab141a0e0de5ca3217fba8218ab8f47b06de26989961f83d64071c988f47fc8380a
-
SSDEEP
24576:ZylLWESHfkb4Do2WxRIo2WWD3jIT3jA6V:MlSd9WxRImG3jT
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ffb77bccc11b2d7ee389a34d5c2f08f04482b6f122174fe5320b14079c03c24.exe"C:\Users\Admin\AppData\Local\Temp\7ffb77bccc11b2d7ee389a34d5c2f08f04482b6f122174fe5320b14079c03c24.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\liba5969.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\liba5969.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\liba2322.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\liba2322.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6661nQ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6661nQ.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g37IB46.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g37IB46.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 10805⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hAvuz63.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hAvuz63.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2068 -ip 20681⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5d525c9681730e95aa9148e2f5c7b88f6
SHA15a7c660b19df44c91dd7a01cb6cc5b7cb1f451f0
SHA25631e996b8bb1f1405c78a053c6bf9b55dc54def821d5d8c9a985194806a15a18c
SHA51285b447e2942875b3d4534f79e3c4bd3344a9cd57f38aa88b79a60b9cf965c5495c8df1c9b6ead584a66ee3706704f6ae8ed4102bec796b0b7b3048325d57639a
-
Filesize
396KB
MD572268d450c7eeb18b413bb887dffaa9f
SHA1b8fd76f580e2add4c758baee89f080e9fded1e0b
SHA25642db299d32bba47306279015d2c37a0ff6cc3da48d73b7dca7453b5a12174362
SHA512167c902412af8032aea3f7b715518dc906494babe836b6cf85ae471663aebc2ad67cd3abcde6c1cc22c87505d6e3e6b8b9c269c9d00b9e672c594905838b5fca
-
Filesize
348KB
MD5c3f68e1228558fd64a68a887bfaa7bd6
SHA1f2f43de355e72362f77610e628b680a943720aa5
SHA256cb19ed56f140ad4e17100f66acde2b27c9e748e8bed84a4f26d052881adf4d73
SHA5123cc7720eb25961f60db11a12c0113ce2f7ec0462c84c44c12159cd53bbbca1cea532ad5469b188c6af197d1acc769e5ddd028dd7c30fdd25e4336630785b5a2d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
338KB
MD5d0e714d8edb42834c383ecbce905a44b
SHA13c7ff16821a255bee7b94ea40c4bdd176a7d0601
SHA256734990741793c718431fb589bb6171dc8181b150cca9ebf99c5e99e258ddbe46
SHA5122ac43e8e75ac325ce4f16e3b56583cf2a2c7c76b297ba213f4b42f47cbe1830d02e306a964ae07bb9b7a89e6c6f43ddaeeb903cc303a11ebe05c3ab06a9ac0e0
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
39.0MB
-
Filesize
39.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB