Analysis
-
max time kernel
112s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-11-2024 04:58
General
-
Target
23547efe8bffd9f0d9b1baab4d9fa4f9c615be1f3b3223f45fa1cbfa6e997335.exe
-
Size
644KB
-
MD5
7166dc838dc38ed47eecd53c920ad9e6
-
SHA1
4435c3ab3743604cb21576ae062f6f8955b09e09
-
SHA256
23547efe8bffd9f0d9b1baab4d9fa4f9c615be1f3b3223f45fa1cbfa6e997335
-
SHA512
273b1ab2373bb93442e83013118b0a6ece84b248fb4cff964aabd6488cc0d3689689e8a1bba0472ed444930d5e225fd8fbe4407d69c0aab7779d2c376b07c310
-
SSDEEP
12288:SMrBy90NNQnu+qHggW6Wl6ESPamUK/ZUpdvlLOgUTMEEO4l:ry1nufTWO6mUK/ZmLOdEO4l
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\23547efe8bffd9f0d9b1baab4d9fa4f9c615be1f3b3223f45fa1cbfa6e997335.exe"C:\Users\Admin\AppData\Local\Temp\23547efe8bffd9f0d9b1baab4d9fa4f9c615be1f3b3223f45fa1cbfa6e997335.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1909.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1909.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2564Sp.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2564Sp.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84Yb20.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84Yb20.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 10804⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMxPs63.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMxPs63.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5104 -ip 51041⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD55d0933bbed890a1fdf4d8a88b5b893a4
SHA14a356bbb2e79443a166dcb32487de0b5dc4bdf16
SHA256c4d558f0c35836f09ddf522ce0e7d435d1ab0695cfe779fbc2157e2353c63d4c
SHA5127da5d6d7af47765e88a9b6572573ae992772943e988f7d22ef77705b19384b96d76e56cb0a90c7fc45395958955c83c7a2fc786fb76bab3b0d69501b904177c5
-
Filesize
322KB
MD5769274192aaf92d0912dc336ba969eec
SHA1eee5f2c3a64270c377ca1d6ad5ba6a4502aafe50
SHA2568bb8034504b3c95357373c660447d32c6e583b4fe64b4061ef07150687140938
SHA512f6d2924eb3a6a6e540649bbb0a0099166d06e899b5feb205760c5a2faf653eb60b35095791be8058c585d04ec1931c827b5459eccaa6d7b2a1bc2b7379dbcbd6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
239KB
MD5172f0abd0d0f0a38325054107860e303
SHA1be0555b6e5ecf512c8a14cefca5c53d50725304b
SHA25665f45a919b839db7b0f16c26ee43f6ea29798c2afe4e16935f9faf5dff50cb49
SHA51203baec5c6f0f3d55d6c14d1af7f62cb0b8f63e57b877fc62d33781ef06e1ea35b4c794f9d5c5fb3e6cc6879d9b9f40d125e5effc4920a8e7b334864fdfaf639d
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB