Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 09:28
General
-
Target
978313ae6fae36af5d07f9ea70c463ea72a9eeeeaad031c057bdaacc6854a964.exe
-
Size
787KB
-
MD5
b0341836bb3885b2db25c21fb7e00e30
-
SHA1
c7acdc44b60d071cf0e3771357f1b344d7c0f672
-
SHA256
978313ae6fae36af5d07f9ea70c463ea72a9eeeeaad031c057bdaacc6854a964
-
SHA512
12292e38ee79a3e592ef31499be57899b57f3c67e330bdf86cd468436d2c811f8dd2ef9957690c43811ac42010e73f503a6f3063b85b9b5e3ddb350c18ba5692
-
SSDEEP
24576:6ynh9q05OuxB1SubsEmWw2uD4J1rkE14:Bnh9q053bbNmz2ao1rd
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\978313ae6fae36af5d07f9ea70c463ea72a9eeeeaad031c057bdaacc6854a964.exe"C:\Users\Admin\AppData\Local\Temp\978313ae6fae36af5d07f9ea70c463ea72a9eeeeaad031c057bdaacc6854a964.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4588.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4588.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8462.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8462.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2763Al.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2763Al.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54xL34.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54xL34.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 10965⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYIaF01.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYIaF01.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2856 -ip 28561⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
642KB
MD5a4aadf5dbfefeb8fde8c1c748f114656
SHA10e090feeaa0c8efc6fb0a1c4ac61c6fabc7a9887
SHA256ef92f490c33d95c4836bfd60768402c198ed3ca20351f48ebd5ee85888a1a113
SHA512e1295bad5093cc623804beab160b4f0a49fb15a232a1f31c80dbce5f0648010733b3ea8964cc5c6b5f721566a328e873820adb6baa030e394246a7ffb07287d5
-
Filesize
295KB
MD5bc29c2dfc6ca49da583a76559dead377
SHA1343442da23047447b364f473b2e53c549d8f0246
SHA2567c0ce7a5e9101dcf244ec974e86c7581d923f530bbd59ad7266b0b0a5b5eb7f2
SHA5121cb1a3ee7d7129fddf0650bee01ea9eaf9289c9061665908a0175c5d69e2988e848a2b8a756f569f3cf821e949b3362344e82aff4b0e3804812d12f808a5b52c
-
Filesize
321KB
MD5bbb50d19ea34c5d043b0c062a612d94b
SHA18290a17a6587df4ff38d5aead7c0a185cf88548b
SHA256a0138cff09789229bccb6c28fdb5660718d7cad3fe785ae0707920fbeaadf068
SHA51213484deb92ca45c03972b63dfb03de1f1b6e1b9ea7a1bc330be4a399aec56792f7839fa1b67677f036b8cb2908505e8e462a839d35d061064146fd12a70b334c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
237KB
MD5d81171bb6cc88a623c51734f14fc480b
SHA1ea6274b4525cc4998644a29ff94b3fc315d905d6
SHA256b7a4560f868f5758982038f4dbde0931b0a255a51f030b0986b52948382d9159
SHA512627414f8d45219009851bfe4bca4108d5b42f328b7ff93977feef03cec90d3979457e71e32ffb294510e0f51e25beef54517b72389ba09cb17bf80ed105e1a0c
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
744KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
744KB
-
Filesize
104KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB