Overview

overview

10

Static

static

3

c52d2523c4...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe

  • Size

    706KB

  • MD5

    ab7c0a364c6a9696d4c773b239632261

  • SHA1

    00c2538c5a987d078aeac467a8e4bd01017c2d0a

  • SHA256

    c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e

  • SHA512

    d5c7662d928bef7445bef0418e653bc3be1b4ef551d17ed34031b9e7a6be39e4f457e2829778403a80c80f56878644ba33cf37c21422405114e33b4c60bb06b2

  • SSDEEP

    12288:/MrIy90Lh2n1/7XAbu1gOprUqPKKWx5dS1+jrF9gx5DUnbSDqYOgxjTasYINLG:Hyrn1/7wbHOBzydjSYjHgx5DUnGzTx3S

Score
10/10
healerredlinejokesdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe
    "C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4664
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 556
            5⤵
            • Program crash
            PID:1624
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1552 -ip 1552
    1⤵
      PID:1356

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
      Filesize

      461KB

      MD5

      c883f1794c26a640e7783945cf9a70dc

      SHA1

      14947c49dec62bf7327686c4ac087575c8ef4c9c

      SHA256

      69c0c74540a2570612b2eada0206ffc1fcd15497f442af1052a23089784116e9

      SHA512

      7a0561d41973670cb5757398f13f9b43a67b580e6f5aabe91983dc19810b3b71f893e5e15f92ad0db2b97cde65ff5646ac89ecf11a542be7a0f913148bc82fd1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
      Filesize

      295KB

      MD5

      34fba452172a3c3a08014ddc3484c3de

      SHA1

      9943da1b5187826a544098f316b7fb00c841a27e

      SHA256

      9ba1e4660ee0dda0b84c2077255ad7a8c89ef86a7d21c0266aa7b687573cef0c

      SHA512

      b213f0a26ca89ddd24561a03c0d6666d091ba4b7aa2f6d949abba4273f396c3a3c9724a7f4e9a55ee0eb3a6a961aaa20af6df5b36caecb27f0321a898f3637b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
      Filesize

      190KB

      MD5

      0c669a789359ac3d23e87bc5b5d59f0d

      SHA1

      37e376c8dfae4aaa9f0d6d88ff761b7cde905a27

      SHA256

      6c8544ba231d33218273548e6f1765fdd9308e6e5c44ef21b8d908f204e9a416

      SHA512

      1698424393e6c1af17f5bc9e2cbc5ccec82e5a9ed1118a51527a8f2b662e8d7d356e0e0125846c5c0464df72ed02c73d5556d9d859b7d9812f2ebe420e89d8c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
      Filesize

      174KB

      MD5

      4635233db0644c10d38844281931bd18

      SHA1

      d3f57625536422c96564abc7337f133c81eee7ce

      SHA256

      ddfb26ceb548d7fe801c0778ec21dd467202539586d69d1436d4b34e119d4cae

      SHA512

      d2fd45fef06b74a5d070c9925197bbd236ea4a09fff2f1347a09a3a572a398c8429c9d7fe2740b5252a429f6dfd2facf8c5db1c4bda59da928fe06e4d4bdb1f8

      Download Submit

    • memory/3276-25-0x00000000004F0000-0x0000000000520000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3276-26-0x0000000002650000-0x0000000002656000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3276-27-0x00000000054F0000-0x0000000005B08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3276-28-0x0000000004FE0000-0x00000000050EA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3276-29-0x0000000004D70000-0x0000000004D82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3276-30-0x0000000004F10000-0x0000000004F4C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3276-31-0x0000000004F50000-0x0000000004F9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4664-21-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download