Overview

overview

10

Static

static

3

2ea82aa11e...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ea82aa11e5c7afd62ac9bf60f8394cca21f2f9c3f377c7516973e62df5c9700.exe

  • Size

    652KB

  • MD5

    e7b355910e50296934e9baf7a3fa88e4

  • SHA1

    ea9d25a849b8dc626cdae7d6b95e13104aee69fc

  • SHA256

    2ea82aa11e5c7afd62ac9bf60f8394cca21f2f9c3f377c7516973e62df5c9700

  • SHA512

    8a5a36427257e26e66453631a27bde0db6da0e13f5ae0a7017466335f29dc2d69de9783251e39c2725800770cc10a436fe52d7551d0553a80863c1430b82df6c

  • SSDEEP

    12288:NMrFy90dNaTUHP/gOMJCo0T9eO+ikry9P9GnV2pKGjDG:EyKNGUv/gRuJPImKGji

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ea82aa11e5c7afd62ac9bf60f8394cca21f2f9c3f377c7516973e62df5c9700.exe
    "C:\Users\Admin\AppData\Local\Temp\2ea82aa11e5c7afd62ac9bf60f8394cca21f2f9c3f377c7516973e62df5c9700.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSn4004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSn4004.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr622754.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr622754.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku641027.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku641027.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1524
          4⤵
          • Program crash
          PID:5676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr683883.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr683883.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5544
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1152 -ip 1152
    1⤵
      PID:5640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr683883.exe
      Filesize

      169KB

      MD5

      2ea2403f637b470e01362bce59d05b74

      SHA1

      ee963618a3059b2924b4128574ae6d8f7f88d43c

      SHA256

      9a3d3e267d401cc2b6a664ec31343c6cfccd90c91e62369853ad5bb2eec9874b

      SHA512

      a2a5b9e1ad30f139c9353e1986bbc81711955e7e141ec394c1530fa9f7d9d1d78cfaab49528c631108a0ddbefcd62f024fa698b989d69926ab41b2a86cb8aff1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSn4004.exe
      Filesize

      498KB

      MD5

      1b115d5c90c28aace9b947413bf6b88a

      SHA1

      74edf1e97e273bdc40be640eb038b1e9427b00fc

      SHA256

      e9ef50a04cdf3bacb491c07a4c77e8ba3357f22b3810c4a1f1fba9f6d81f7d8c

      SHA512

      afe5fda4e2a28a31b02cbcffc7f8fe820b95e5403df233088363d48c134584a192ccb5bbdfbde7b7e4a1e9e54154aeab11184da2ae413d06619afc66d6c50994

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr622754.exe
      Filesize

      12KB

      MD5

      ce5dd3ab7bf3c6d191ff815978cee380

      SHA1

      8d1f63bc499993c9fe487fd389fb1c681fad58d6

      SHA256

      c720d5e8cdd32055634b13eb7fa388e8815e105c043f6366e5f9a19b74e87777

      SHA512

      530116704b2a0d6d8d0741c856676a4720c254d39758201a051d59c5ab7f0535f5951f80fbbc1f015867faaa9da30fbde8240ed97f4a080de1f841bc7ef576fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku641027.exe
      Filesize

      417KB

      MD5

      75151f385d0c7d9a9de98c88a587055c

      SHA1

      2f49a5e7029746c665fb90d57dbf0ab4d0dc2300

      SHA256

      f58c4fb5b36dad34403bb3c05a510d90a203ae09fe06f64d6a9f2f35d9544d44

      SHA512

      0f86009f48d3d70a3cc8ed7dab345fa1bef7bbb207cbb83a46dc81d2fe38c82e1b3a861a459d953e4a09aa22e0ff94422c03724173c8c7e86560467e16949d3a

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1152-52-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-86-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-24-0x0000000005240000-0x00000000052A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1152-34-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-82-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-88-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-44-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-84-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-80-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-78-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-76-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-42-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-72-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-70-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-68-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-66-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-64-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-62-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-60-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-58-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-46-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-22-0x0000000004BC0000-0x0000000004C26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1152-50-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-48-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-56-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-23-0x0000000004C90000-0x0000000005234000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1152-74-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-40-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-38-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-36-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-32-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-30-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-54-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-28-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-26-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-25-0x0000000005240000-0x000000000529F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1152-2105-0x0000000005410000-0x0000000005442000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1392-2118-0x00000000007C0000-0x00000000007F0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1392-2119-0x0000000002A40000-0x0000000002A46000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1392-2120-0x0000000005780000-0x0000000005D98000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1392-2121-0x0000000005270000-0x000000000537A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1392-2122-0x0000000005020000-0x0000000005032000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1392-2123-0x00000000051A0000-0x00000000051DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1392-2124-0x00000000051E0000-0x000000000522C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4820-14-0x00007FF917E63000-0x00007FF917E65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4820-15-0x00000000000C0000-0x00000000000CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4820-16-0x00007FF917E63000-0x00007FF917E65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5544-2129-0x0000000000A70000-0x0000000000A9E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5544-2130-0x0000000001160000-0x0000000001166000-memory.dmp

      Filesize

      24KB

      Download