Overview

overview

10

Static

static

3

23c73fecff...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23c73fecfffcafb75e8612e004ab926769e26a5f168249e52f2664136f415148.exe

  • Size

    661KB

  • MD5

    8ee02a031afd1591d0fad1f040774627

  • SHA1

    82759a129c9ff860fc8d2a7ea7756572ec4e5f6d

  • SHA256

    23c73fecfffcafb75e8612e004ab926769e26a5f168249e52f2664136f415148

  • SHA512

    66333f424ad4f9219c43aa7517bfb22b58ca107ae0f0e44e077dde038b1f7345ef1a37e6dc6108616cf89399ae59154be228569a4e1e50fb41af818bd85698d1

  • SSDEEP

    12288:6MrYy90fr1th3Vq0wIxAn4AJTy35Yiqy0nxPo2fdxPPPOv/yQWU5NphEb2:+ykRTVq05xA1JTy36TyOfOiQWU5NDp

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23c73fecfffcafb75e8612e004ab926769e26a5f168249e52f2664136f415148.exe
    "C:\Users\Admin\AppData\Local\Temp\23c73fecfffcafb75e8612e004ab926769e26a5f168249e52f2664136f415148.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUl0764.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUl0764.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr971122.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr971122.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku199752.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku199752.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3984
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1524
          4⤵
          • Program crash
          PID:5752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr797415.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr797415.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 944
        3⤵
        • Program crash
        PID:6100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4768 -ip 4768
    1⤵
      PID:5368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 648 -ip 648
      1⤵
        PID:1580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr797415.exe
        Filesize

        168KB

        MD5

        1e34428e4c54063e8b62c2a03dbcb607

        SHA1

        b5577bc08096fe619b417d6f38a99558e7e1ca17

        SHA256

        25e0e6c9dca6242432c4b17fc94d46a0d985a780aec0656fb76846043e0d32d1

        SHA512

        42b47de8215b189818b9880ce662f054e9853d39910bb9c5edbd42afe1b22e75a85a459297fcba29e274890921a3f18db6742049b2636fa68a24a6705a97e38e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUl0764.exe
        Filesize

        508KB

        MD5

        f9834973d25a280bed6d24226f540d4d

        SHA1

        1507ea277a0fda6ea2377c744eea644c6b6a10b1

        SHA256

        203c4ae51e75e854e5930f5e0cb93ac391ae2c7cbf5f3b88eda6fbd7ac0a7bf8

        SHA512

        f7b26bb27995108c61a395c990cf341899aec85f2aad6bf674ec91350670cc7dc2917e4dbf354e46250e5c4141b1d67a9417629d0022c618704d6dee2c63240a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr971122.exe
        Filesize

        13KB

        MD5

        859f97ad37c8f871553bbac5985b2782

        SHA1

        fb6dd615ae8dd157ffc41a4e2a6918bb257c4738

        SHA256

        1551094c09bcc849f6b14dee4f1e237197ed73393472c72f705798aa6bdbfec4

        SHA512

        3d0b8b176ddf34f0b2a3f6cb6382dca0edadc7c0b5c9169fa72de65d8737c3c84ea18067c21d3d4cfd88b3fe2c6db52b64ee0c7f3d159f50f91f15bf5e1bad11

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku199752.exe
        Filesize

        437KB

        MD5

        636335ccfa69fa58d7db89b38422136e

        SHA1

        f8cff6329c28cf2de632a89c3485ba8782daff23

        SHA256

        dfc55c0ca75990e8f333b90dc0148f0f37b1578baf2a3948b682a5bdf6ca599d

        SHA512

        56362ecd44537ffdadf709d6d1cb134b5be6bea89488916dbe713acbb1b87ebcf99943bb943ca75e752c7928c23772e906c2a64957b8e83109a06e92661fca42

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        1073b2e7f778788852d3f7bb79929882

        SHA1

        7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

        SHA256

        c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

        SHA512

        90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

        Download Submit

      • memory/648-2129-0x0000000000090000-0x00000000000C0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/1384-14-0x00007FFCD3CA3000-0x00007FFCD3CA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1384-15-0x00000000002A0000-0x00000000002AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1384-16-0x00007FFCD3CA3000-0x00007FFCD3CA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3984-2119-0x00000000030F0000-0x00000000030F6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3984-2120-0x0000000005DC0000-0x00000000063D8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3984-2118-0x0000000000D20000-0x0000000000D50000-memory.dmp

        Filesize

        192KB

        Download

      • memory/3984-2124-0x0000000005740000-0x000000000578C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3984-2123-0x0000000005700000-0x000000000573C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3984-2122-0x0000000003140000-0x0000000003152000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3984-2121-0x00000000058B0000-0x00000000059BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4768-66-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-44-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-82-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-80-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-78-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-76-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-74-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-72-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-70-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-68-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-86-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-62-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-60-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-58-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-56-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-54-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-50-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-48-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-46-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-84-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-43-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-38-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-36-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-34-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-30-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-28-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-26-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-88-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-40-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-32-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-24-0x0000000004C40000-0x0000000004CA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4768-23-0x0000000004D00000-0x00000000052A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4768-22-0x00000000024C0000-0x0000000002526000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4768-64-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-52-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-25-0x0000000004C40000-0x0000000004C9F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4768-2105-0x0000000005420000-0x0000000005452000-memory.dmp

        Filesize

        200KB

        Download