Overview

overview

10

Static

static

3

de86e76777...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de86e76777384c674dde285bee762e2447a2d8c146c4cf2d0d9da6b52ba11f54.exe

  • Size

    661KB

  • MD5

    b3a5f3db24179e48a4fbb5a8a1ac6886

  • SHA1

    473617d11536477123887143f9e78eb546d5eb8a

  • SHA256

    de86e76777384c674dde285bee762e2447a2d8c146c4cf2d0d9da6b52ba11f54

  • SHA512

    091cef15cd35572b388456421b909b713a30eaa16e642b5c9ec87b3c22b5677cf9aded4fb18834cff5d10ffefc6f795f41bbfe326b4f111c75449386731a27c0

  • SSDEEP

    12288:PMrYy90PkSVfSg7kY/lQ/xfv7a2FeQ2UbMf4tochzdxPJsOQPAfUX:byGVfOxLa2Fh2xfVGdxP+tE6

Score
10/10
healerredlinedoztnormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

dozt

C2

77.91.124.145:4125

Attributes
  • auth_value

    857bdfe4fa14711025859d89f18b32cb

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de86e76777384c674dde285bee762e2447a2d8c146c4cf2d0d9da6b52ba11f54.exe
    "C:\Users\Admin\AppData\Local\Temp\de86e76777384c674dde285bee762e2447a2d8c146c4cf2d0d9da6b52ba11f54.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziST7167.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziST7167.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr062999.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr062999.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464383.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464383.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1368
          4⤵
          • Program crash
          PID:396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr268665.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr268665.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5228
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2544 -ip 2544
    1⤵
      PID:1120
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:1592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr268665.exe
      Filesize

      169KB

      MD5

      1777d3df3294c657a20224352276a249

      SHA1

      0d690ce67ad762615aa260dd63046897ad076381

      SHA256

      2dfb9a465c5c181221a32dafdd02995a95aab5942ea5a0cbc95267d3d8048cdf

      SHA512

      b3cfe5f84f7dedb832ef74b897ae5338235e1eaa147f144b47a5a08f1dea96d1162e98b85e3c2dd066129c86edeb19ad176888ceefe357a13a16195a82ffc7c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziST7167.exe
      Filesize

      507KB

      MD5

      996419514e7cfb287e995d66e0672c43

      SHA1

      5869124eec4b1dc688ceb3d937b1504d3eb7fcfa

      SHA256

      c7b1082657be0216422b02f97d11a2d3af1b194f312e61b35f2918ac62a91d6c

      SHA512

      e9f71240f3ee6bf95cd58dd2bf3c70c0b08d86143ea8424f4bdb22b146dc65a35558809b8dbbb203be08f5fbdb52951655a75b43deed6877c3ef70e1b6227efa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr062999.exe
      Filesize

      13KB

      MD5

      747d45fe3c7150b97a38f7253511fe06

      SHA1

      c7f7d9462aacfab4f29dde304aea69d8b0da01b6

      SHA256

      e434e472c43b9c4831aa041a476c3446fff98730a0b77170ef485a826ba0957f

      SHA512

      4190ad381d983a1a0fb4db0dec1e2bbb2d106c61ce4c394a04f5ce748371fdf6413016baa06e0f5e02dbc048fbd59e0cac1a13d55fae1e6ae142580b63f4c1a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464383.exe
      Filesize

      426KB

      MD5

      c9a6d2e08b02d5d6818d58177797d3b2

      SHA1

      9975067688f00f18472eb120c0ec3aba26e62021

      SHA256

      d3d5ab21e16222825322072aa582770323ad8566c1d47cb7c435d4ad99176e54

      SHA512

      5cf9b47ebaf7b3501952544c319936f5ee406511d7428621ddfd5f455a8410f128b0e13c03a64758e2aaed62cc7107747d617fbb0c56e795d604c52f3d8ea943

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/2544-50-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-84-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-24-0x00000000027B0000-0x0000000002816000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2544-82-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-88-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-86-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-38-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-80-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-78-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-76-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-75-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-36-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-70-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-68-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-66-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-64-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-60-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-58-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-56-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-54-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-40-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-22-0x0000000004D60000-0x0000000004DC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2544-46-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-44-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-52-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-23-0x0000000004E10000-0x00000000053B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2544-72-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-32-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-30-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-26-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-62-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-48-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-42-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-34-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-28-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-25-0x00000000027B0000-0x000000000280F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2544-2105-0x0000000005550000-0x0000000005582000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3488-2118-0x0000000000E60000-0x0000000000E90000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3488-2119-0x00000000030B0000-0x00000000030B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3488-2120-0x0000000005DC0000-0x00000000063D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3488-2121-0x00000000058B0000-0x00000000059BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3488-2122-0x00000000057E0000-0x00000000057F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3488-2123-0x0000000005840000-0x000000000587C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3488-2124-0x00000000059C0000-0x0000000005A0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4576-14-0x00007FFD41343000-0x00007FFD41345000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4576-15-0x00000000002F0000-0x00000000002FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4576-16-0x00007FFD41343000-0x00007FFD41345000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5228-2129-0x0000000000140000-0x0000000000170000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5228-2130-0x00000000022B0000-0x00000000022B6000-memory.dmp

      Filesize

      24KB

      Download