Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
-
submitted
11/02/2025, 09:43
General
-
Target
d8e320833e90898006afdfcbf2f0ea784d3815edb432b386a5f55c446bbb2017.exe
-
Size
666KB
-
MD5
ed3ae97c0d40bc20e202366da3265d8b
-
SHA1
9dfe95c90d89d38fdb2b169ba4b9afbbe163cdeb
-
SHA256
d8e320833e90898006afdfcbf2f0ea784d3815edb432b386a5f55c446bbb2017
-
SHA512
f15567e96bdc1d4c83412a61b6ea641158d6b15166e08db3bd1343c8d12842f15d799205770ed7d2e45e3314bee33f733b046670e988dfad3eb261c58f0125b8
-
SSDEEP
12288:+MrYy90hol7B+b5rKWBpZRy5JeiKVIk8IxOAeKjGQoqBi1yyiOmKFM:+ysUsdrKWB1y/k8wOW6QDg+OxM
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 2 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e320833e90898006afdfcbf2f0ea784d3815edb432b386a5f55c446bbb2017.exe"C:\Users\Admin\AppData\Local\Temp\d8e320833e90898006afdfcbf2f0ea784d3815edb432b386a5f55c446bbb2017.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6085.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6085.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu104248.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu104248.exe3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cor0864.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cor0864.exe3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 10764⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMW83s71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMW83s71.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1844 -ip 18441⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDhEODlFMDktODE1OS00MDFDLTk4RjUtMTcwNDUwMUU2RjM1fSIgdXNlcmlkPSJ7QkE0N0NENTctMjU0Ni00RDk3LUFBRDEtMEU4OTFDNjBCRTU0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDlFRDdCMDYtMkY1Ny00MzNCLTg1NUItRTMxMTkwODRFOTUwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4MzAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTE0Njg3NjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDYzMTI3OTgwIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
354KB
MD52fece8d0426822f9dc1b5b57cf5b602b
SHA16f576923eab42aa7b06dbe587e7159229b3f688f
SHA256c52bab48dfb7adc7c9eda8bc447bb6fa372f740732a2fc14443ccb7dd864b909
SHA5128364413df53969225c115576f624d084e469e5d28e9fa26729b8e72b4712ce80bfb50854aadc395c2cb5b1e280000391cd4d41016abc35352e8e7e76414fa8d4
-
Filesize
329KB
MD54c2063d6c939c8198cd97e33de24a54f
SHA1b5fb1a898bc07255c23cbc1374510b9094db7490
SHA256915149676cab2c5dd3b570f4c5b2988e6561393c6b6989d2203e5a4e7a6d85ad
SHA512c84001f555a6b5b45f7d2702d78d8b57515323dd684eb96b9041164ed793b9d76b65fc0e97945d796a6ae551963b7d32ebcc1a91abacb057fa9014b26aaefed7
-
Filesize
11KB
MD5bee9a4e20eb95147a40258a778f60e82
SHA1b2671da8c58e8056ec60776b02e5a37e1f326c2c
SHA256b7f87429788383858c37a079c197b43224909c60ca650f68c1796a6101a7a52e
SHA512dd0513d99459bcfe9a49d4a02e1af05f1594490dda9bdd269cefa5a2e299fa3a968cdd5aafc4a1b1a109fa8e64a16b0782557b20d46e2d4f930b5c327f75c298
-
Filesize
295KB
MD5d77d78a8721395888211772d09fe1a47
SHA1f139826e5481db735a02e6e1e624f2781db8d0fe
SHA256020a9562d40b8d96dc098be96f0f0fa5d324605b7afcea9a3c2eacb9a8840019
SHA512d6e5d14fe17395cbccde74cb75d45ea77e40d8bf21929dba9e990763e93fa9f5eda142d95fbea42a2d29a61ce30ec02414b3140074f0441651a25535a4a29cd1
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.5MB
-
Filesize
39.5MB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB