Overview

overview

10

Static

static

3

e0b21eefad...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe

  • Size

    802KB

  • MD5

    ab2a283683a429aca82295e7deba806e

  • SHA1

    16557dd7d2fb15f5e2e10753601a806b99fd6dcc

  • SHA256

    e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a

  • SHA512

    34039fb7493bd9833da5ee23a073e0c43e47ceca5fcd525f2f06f1e1a7971483064f9277bf3d6b872c59f559630f91a77ae29b4556c5c7591593a366f031aaae

  • SSDEEP

    24576:fyR2bagt1EmfeXZ8jBv0f262Pu/49MLmG:qR2bdt1yXujBWaSLm

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe
    "C:\Users\Admin\AppData\Local\Temp\e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un875415.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un875415.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3962.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3962.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1080
          4⤵
          • Program crash
          PID:3128
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3401.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3401.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4816
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1180
          4⤵
          • Program crash
          PID:1588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si349928.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si349928.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5112
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 380 -ip 380
    1⤵
      PID:1480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4072 -ip 4072
      1⤵
        PID:1004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si349928.exe
        Filesize

        168KB

        MD5

        0980dc62d57dd075e1f8006ade74233a

        SHA1

        eb8f0efe1c89df2176a2b73448f9ccf31f7b3eea

        SHA256

        1e0be870a12fc19b9f0c81b0bbf7c83332a4eb147c273d81ecfcff355adaa3c2

        SHA512

        b1e82a6973886f472785cfd4b9d0e7703c18b6155213a517eafaa165767b437b3079068b6ced5c5f87abca9f747bf086547827256b9accf53ff8060dad1f3780

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un875415.exe
        Filesize

        648KB

        MD5

        0e1782138a0f0ca750f7e7b14fc78fb7

        SHA1

        78aa05c62c88d05f1a9b4af542e3277fcfe444cd

        SHA256

        c030e8ebc12a197bfa0525f603c2a0e72c16c5c9697571e96e844df18fefacc2

        SHA512

        4e9f0d4a102a605343cd4443ec08d92e0e298e21e3204ea21a89ac0e9edf244129bf5a728fa8fc941366467109accac39bc4479491fdc08bdce7cc55bdfee450

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3962.exe
        Filesize

        252KB

        MD5

        155a50944f34871453dba6caef349d41

        SHA1

        75ee5cd6fc5cf71d586d17746cf2d35e5c838476

        SHA256

        02ccff40f0f109c056afef9876c751ad7db52d775afa09d902f9e6a82be3f16d

        SHA512

        0e9302bd31db41d2b0dc2f2e031fcddc726e148bbb0ffb8794e80affc198c04104c018276553104de43de469918a9a734fbd7d0446163ae803e149f5493cae3c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3401.exe
        Filesize

        435KB

        MD5

        120e9a1d914d5277bfbb475e9ebbebf8

        SHA1

        5fd1350a5c3d76f0d241801471402807fc5f8b43

        SHA256

        7187429f6bed15930ee8c29f714693a7291349be8d2aff881c8337fc28b748fa

        SHA512

        e98b24e949e8684b2555672fac46c33cad328b823ba089b0ce091282ee4002b22d028e59b8f850d54876a5f7896f241e9b4bea66433db94cc7aef3de62af1258

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        1073b2e7f778788852d3f7bb79929882

        SHA1

        7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

        SHA256

        c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

        SHA512

        90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

        Download Submit

      • memory/380-16-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/380-15-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/380-17-0x0000000000400000-0x00000000004AD000-memory.dmp

        Filesize

        692KB

        Download

      • memory/380-18-0x0000000000400000-0x00000000004AD000-memory.dmp

        Filesize

        692KB

        Download

      • memory/380-19-0x00000000022C0000-0x00000000022DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/380-20-0x0000000004BD0000-0x0000000005174000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/380-21-0x0000000004B80000-0x0000000004B98000-memory.dmp

        Filesize

        96KB

        Download

      • memory/380-49-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-48-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-45-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-43-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-41-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-37-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-36-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-33-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-32-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-29-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-27-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-25-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-23-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-39-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-22-0x0000000004B80000-0x0000000004B92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-50-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/380-51-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/380-54-0x0000000000400000-0x00000000004AD000-memory.dmp

        Filesize

        692KB

        Download

      • memory/380-55-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4072-60-0x0000000002500000-0x0000000002566000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4072-61-0x0000000005240000-0x00000000052A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4072-62-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-95-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-94-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-91-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-90-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-87-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-86-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-83-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-82-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-79-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-78-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-75-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-74-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-71-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-69-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-67-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-65-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-63-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4072-2142-0x0000000005410000-0x0000000005442000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4816-2155-0x0000000000190000-0x00000000001C0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4816-2156-0x0000000006E40000-0x0000000006E46000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4816-2157-0x00000000050E0000-0x00000000056F8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4816-2159-0x0000000004B00000-0x0000000004B12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-2158-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4816-2160-0x0000000004B60000-0x0000000004B9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4816-2161-0x0000000004CE0000-0x0000000004D2C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5112-2166-0x0000000000E20000-0x0000000000E4E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/5112-2167-0x0000000002FD0000-0x0000000002FD6000-memory.dmp

        Filesize

        24KB

        Download