Overview

overview

10

Static

static

3

d8e470b47a...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8e470b47a0c76c435c793e1b9cb66d470e7b5c24ba7d377eba2aec6b1b7da5b.exe

  • Size

    713KB

  • MD5

    b428c2d184f8ecfcf845d2d60cc7d215

  • SHA1

    53b5ce0679e6b64faf6340be9f1f921116a1e268

  • SHA256

    d8e470b47a0c76c435c793e1b9cb66d470e7b5c24ba7d377eba2aec6b1b7da5b

  • SHA512

    3842936ef116ba88f65daed8f7be923ba5b3efaae92415f67d24944f14acfc025d964f99dc8ee1c4976c320268bc22d2512eb49b1ba0d9173a91cc3cf66941f6

  • SSDEEP

    12288:EMrty90ii30B+Hdiuq+YJL9apnhn7uqhZIQu3ldSoSEG0O4u8Hh8:ZygHFQ9apnh7uqM3ThlO4u8Hh8

Score
10/10
healerredlinedizaladadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diza

C2

185.161.248.90:4125

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8e470b47a0c76c435c793e1b9cb66d470e7b5c24ba7d377eba2aec6b1b7da5b.exe
    "C:\Users\Admin\AppData\Local\Temp\d8e470b47a0c76c435c793e1b9cb66d470e7b5c24ba7d377eba2aec6b1b7da5b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBr8236.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBr8236.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it390473.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it390473.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr454062.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr454062.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1332
          4⤵
          • Program crash
          PID:4364
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr255518.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr255518.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5728
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2524 -ip 2524
    1⤵
      PID:5112
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:5356

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr255518.exe
      Filesize

      168KB

      MD5

      c52ebada00a59ec1f651a0e9fbcef2eb

      SHA1

      e1941278df76616f1ca3202ef2a9f99d2592d52f

      SHA256

      35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

      SHA512

      6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBr8236.exe
      Filesize

      559KB

      MD5

      9f378ea02415ccdbddb00fc21020baa3

      SHA1

      893c23be8a25d9fb65694335599434c28cf1d688

      SHA256

      960d16ce779ed58db9badbabce327aa78017fca7cf0a4d6ac7e8684f74728488

      SHA512

      af8915a6dc7722c00efbe4bfdb52f5a7f9a9a741961eb411ba33ec735c6de63687453ef5ba459a7dd7a17c709041de5b79395d4b1a4039f3513d7aad16c3ffbb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it390473.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr454062.exe
      Filesize

      586KB

      MD5

      1f169b3659d4af77066763d343ace06b

      SHA1

      638d562cdf82638819779e583facc227f6f740a1

      SHA256

      0668e210b0fb03863bc95a9519bf5ef381457563a2b5a64f0b6a22827e73ac09

      SHA512

      d315319a99cecf7516dbd5440e57b5f87b6b8c43dde9c6f3c40c4462f86ee9a63ac3aa16a1c9e442a6596c35a485dac3a5fa100857627ecf271a3688bb51e80a

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      03728fed675bcde5256342183b1d6f27

      SHA1

      d13eace7d3d92f93756504b274777cc269b222a2

      SHA256

      f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

      SHA512

      6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

      Download Submit

    • memory/2524-52-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-86-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-24-0x0000000005690000-0x00000000056F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2524-25-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-44-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-88-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-40-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-84-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-82-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-80-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-78-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-38-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-70-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-68-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-66-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-64-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-62-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-60-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-58-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-56-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-42-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-22-0x00000000029B0000-0x0000000002A18000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2524-50-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-48-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-54-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-23-0x00000000050E0000-0x0000000005684000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2524-76-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-36-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-34-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-32-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-30-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-28-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-74-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-72-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-26-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-46-0x0000000005690000-0x00000000056F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2524-2167-0x00000000058A0000-0x00000000058D2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4256-14-0x00007FFD643B3000-0x00007FFD643B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4256-15-0x0000000000950000-0x000000000095A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4256-16-0x00007FFD643B3000-0x00007FFD643B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5428-2180-0x0000000000460000-0x000000000048E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5428-2181-0x0000000000D90000-0x0000000000D96000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5428-2182-0x0000000005440000-0x0000000005A58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5428-2183-0x0000000004F30000-0x000000000503A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5428-2184-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5428-2185-0x0000000004E60000-0x0000000004E9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5428-2186-0x0000000004EA0000-0x0000000004EEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5728-2191-0x0000000000CF0000-0x0000000000D20000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5728-2192-0x0000000002D60000-0x0000000002D66000-memory.dmp

      Filesize

      24KB

      Download