Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 09:53
General
-
Target
e6852eb18d1b1d0578e85b9e2973c9a4df5de693509561f9ff62363d048da6bb.exe
-
Size
792KB
-
MD5
5d3a69031929664fde7215a256489efa
-
SHA1
4a1d78fdbf51afabdf5b2dddfcf5b8c6a138fe26
-
SHA256
e6852eb18d1b1d0578e85b9e2973c9a4df5de693509561f9ff62363d048da6bb
-
SHA512
15a74873114b7eee56db200f703cf11f0d9225d41f2730719ac79ca050a27ab1d2a7f75f5f8db6dd861c8275fdc5d575da2478f2ea2792147c1d611c63b6e500
-
SSDEEP
24576:NyvowVYYEVqzDna78ASJUS++iuveGONk9p0rV5:oxXaYDa7W6S++iuvmN
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6852eb18d1b1d0578e85b9e2973c9a4df5de693509561f9ff62363d048da6bb.exe"C:\Users\Admin\AppData\Local\Temp\e6852eb18d1b1d0578e85b9e2973c9a4df5de693509561f9ff62363d048da6bb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice2953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice2953.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice3950.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice3950.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7066Mn.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7066Mn.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c06pQ45.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c06pQ45.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 10965⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dGIYV50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dGIYV50.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2416 -ip 24161⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
647KB
MD5d5f7c105e1fb183dbf7c5e71b09b25d9
SHA13dd7a5f833c55d588a2c25bb6f5095b7a1ab9c81
SHA256ee5c414bc85391e5b326e5722e279c1dbfb9319a66eb9c94080fcceb633b593d
SHA5124ca1bde933a07bd16152bf1b91b66efc38d491655c97bbe1d68f42b2444655a8f2951ee148ae888d306cf1e6c80562247ae0eced211897c8a3dbb2d1751e1e48
-
Filesize
283KB
MD547bdfdd06e639918b0afea1f44ada3f6
SHA1bbd05051851525ab68efe223df2f803beadebbb1
SHA2562f0d6adc2d3bc2dc69a9a82c0fa72c1a32a17ff1c134bb483510c29d6cc86a7d
SHA512610cc2a6de38f1dad10c0b5250969e10178bfc1e6d3e0f0b65f03f3b2f1707ff60ba42881b21c313df28603bbebd6956866435e0af6d6e038c052815d5703473
-
Filesize
324KB
MD55630ad48c5b2e22db9d77945e78da23c
SHA1a17c969ec044792f22ce722a059a7ae712142019
SHA25699b7adb3c4982397c83da348621a4f814c03b284ec29ac360516b9e2c39da94d
SHA512bd0e10a2eb01e0c4ba781cc44c4ca9448df09fb3725846ebdb37675c3fd6329d5e1445de1d6fc0d2fe64657ac22028532593d1d00e7cc4cbfc3f6ba2b604b96c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
225KB
MD5d5ce726e1f4d847e5cb9b6b0d1acd395
SHA1a8fc20201311a056b36be34926f2d886245ea11e
SHA256db1a87166475c833b66e36600ce4b527bad8ee1f4beaa039e048c2063fef132a
SHA5128751d713b1be0874028cb0c0f4c07486eba1cc8bb345e3542bd20f0186770417d0f64eb5471c1d91b8fbaac57bce450d50a6fbab3ba90d0c32eef513540a5301
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
736KB
-
Filesize
736KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB