Analysis
-
max time kernel
113s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18/11/2024, 10:30
General
-
Target
5fb543090ef9f35755eb46f0a7ef6086cc4d6f9a6664462255272d8c0c1e5b2bN.exe
-
Size
989KB
-
MD5
b1fc96a847e1d1e7537609c37fbba240
-
SHA1
d55da593a5ff24ed4710b47f906233f75bab2dee
-
SHA256
5fb543090ef9f35755eb46f0a7ef6086cc4d6f9a6664462255272d8c0c1e5b2b
-
SHA512
49ed7a5206ac62727c09fc9b58aad82e7438143f0ba7c81d6fe7b3b271cf9155e9c2f34f409ccea0be8f08d6d608ab17cd339a6a541d4aed4e76ed05971403bd
-
SSDEEP
24576:2yKSRwuwJTL71eEN5nTnG94oWK+J9/Vbr/:FULTL71lnTGyoql
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb543090ef9f35755eb46f0a7ef6086cc4d6f9a6664462255272d8c0c1e5b2bN.exe"C:\Users\Admin\AppData\Local\Temp\5fb543090ef9f35755eb46f0a7ef6086cc4d6f9a6664462255272d8c0c1e5b2bN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki818374.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki818374.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki341028.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki341028.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az484419.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az484419.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu928187.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu928187.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 10845⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\co200969.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\co200969.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3644 -ip 36441⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
806KB
MD5440c9bdf236a0a37785acecd86717973
SHA1049b0435b8e7b7610112c7765d6412cc275a9a17
SHA256672224f875a17a9d76e9023c9a8b63faf27f18d649cff0075115d6c145c8cc4f
SHA512cf061c1a0fa7984bc12ff29bdac96ffec784480ef8696a2f2acc88ad9ff509b2172f5b428a5d73ff87fa085b83d9f4463055f1b20fa77c96a026252df82c12be
-
Filesize
486KB
MD5daa8335e0a1a43a88027f1fd217351a3
SHA1d5163b4a6a230786402894fd3c1a5bab32c56fd6
SHA25637e7fe41056982564274bd548a773ed29f2e48881764085d18b7f2bed32c725b
SHA512688488953a44d5d28c50457818fbac7fb5c45129aeb5fd233d07c947b4e1e0a240ec182b9b57069513c9539ff1a497e6ad054c70b564788fe21eddcbec012b52
-
Filesize
388KB
MD59aaeafc8e44ae06f4c209683070a81b0
SHA14a343c159aee8d8e008d2f362fb112f2cfa0dd6c
SHA256e59ec01a89f115e6d56641362516a6cb06bf7ae8ebf1a70982eec481a2e2b9fe
SHA512f981906d83e9c0f920fabbd0d8c0291029840e74527f2ee8d879a8955b7227746bc49884b7058ca25727c7fa708d58b8ce74e9a13347f2aea1364f5a2e00288e
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
403KB
MD5078f36d020e9f78ec99b21d541f5b829
SHA130e6e27346488ae2518269844d4c402773af2fe0
SHA256572330468b890c4ceb908fa76f502ba5aded8d20b35c8984c174682baee49833
SHA5123aa36c701fc11d64d51b8a091ddd02fde538962d3282c520d3cb94105b1fa83c6c07abe5233800368f9ae4c1264b642c246d750b9d9bbac9d5b532280957fbae
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
4.0MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
4.0MB
-
Filesize
104KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
240KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
232KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB