Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-11-2024 10:06
General
-
Target
69211bc04bbfceb8632f0492017f5539513fe3144530e43116a38172a85911c7N.exe
-
Size
668KB
-
MD5
24fc775b23074d6e1e842eadc3b15b50
-
SHA1
247f48a3c6f07aa6c324c7eff01d83776ba34c33
-
SHA256
69211bc04bbfceb8632f0492017f5539513fe3144530e43116a38172a85911c7
-
SHA512
7e118c728d87ea0c10b3fb0024b0dacebeab163c1b46e479ca5231b994ed8f42986220276c9dee09b5bde582879f6e29a0705cb9a18d3a3e3b9505108437bafc
-
SSDEEP
12288:kMrBy90hLhwkslnczmdgLgvPK+03d+qDxWe+MeVuZsEd232:Ny2LCltPK+0UqVl+78Zx9
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\69211bc04bbfceb8632f0492017f5539513fe3144530e43116a38172a85911c7N.exe"C:\Users\Admin\AppData\Local\Temp\69211bc04bbfceb8632f0492017f5539513fe3144530e43116a38172a85911c7N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5280.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5280.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4644IR.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4644IR.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c14GX67.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c14GX67.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 10884⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doGQo14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doGQo14.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1944 -ip 19441⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD50738589e558063c99bb4f6c8ba3f0728
SHA14feb70bf06264e7cc59d4906449dd1d0bc494d55
SHA25606edea7f4ed5045825b7ec37298db0e3e73fc13c58688ff817f8e2d97342ddaf
SHA512b2403cb3859af3975b2176931c998c3a8ba4e6df7e1f5da8d3619ffc97422ff8489be53c632fde43ec31f0cb30945f0e24c460e4da1404bec54c49b13c8aac53
-
Filesize
334KB
MD51406a59f04747d2cf54280695ca1353b
SHA12e2c2520a2088886e1f8b94db1ff6dad144d972e
SHA256d62c63c29dd7fcb6464e9f2b91feb117b25e03a88ac058f6b6b44a31bc8d197f
SHA5129853a37428685e5ad6ce2500ff2bc9ff02f267af6dfe97db179525cf9f6275c7be3e4782b2384a69f8665cde7d49147b5e2cc5114d8d4e6d5b61516f1ff4ba06
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
251KB
MD510c1300db1f5414b855bd0e8a27d3698
SHA16b1b47e589f6aa7be627567b5595ac414f30b495
SHA256293333085ae37904a599690d6195302bc26d0cb51548509492cd3d7f43e5f14c
SHA512948bf9f91ea8b696f1bdfff2f434cd9bb568c2212ce94dce4665d93f12aca8a88c90835489f1b123a160ae91c6762af206afde7f3ce3e8d321bbd3bcbef19996
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
764KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
764KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
40KB