Overview

overview

10

Static

static

3

210450875d...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    210450875da2d17a82687345659e077ea0cd302012b995bc690ac69fa19ecc6c.exe

  • Size

    683KB

  • MD5

    c8db7696d71a6ca9b7c9c9360d1077f4

  • SHA1

    1b2b2e72b02a3cfe59ba91e08e0f47878d99c361

  • SHA256

    210450875da2d17a82687345659e077ea0cd302012b995bc690ac69fa19ecc6c

  • SHA512

    27e52108d0ef0bd35a79bca8976a547dec0d9c42887a7da854c7a80f928da4ca570039a9e20b527613820fa53eeefc942ceffa14900715044078321e4092e460

  • SSDEEP

    12288:RMrTy90zYETreTZEYxtwKW273Ub2rgcS70KsrSJZwwU6HHhO9mb:mygnTGdPBi2P8YSThF

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\210450875da2d17a82687345659e077ea0cd302012b995bc690ac69fa19ecc6c.exe
    "C:\Users\Admin\AppData\Local\Temp\210450875da2d17a82687345659e077ea0cd302012b995bc690ac69fa19ecc6c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSw6108.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSw6108.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr753666.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr753666.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5048
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku974246.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku974246.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5796
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1388
          4⤵
          • Program crash
          PID:5480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr986417.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr986417.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2892
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3020 -ip 3020
    1⤵
      PID:5888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr986417.exe
      Filesize

      169KB

      MD5

      2619fc4568d88c5af66ad8aa92f42a38

      SHA1

      44bd93cccd26a67ba197e15f57d318bb286c14b4

      SHA256

      64678a3e40f325a7cc422337907cb2538a5bb1f2df7de0acbe3f1367fa9b87d8

      SHA512

      303aca776441cddb9ccc78dcd30624c87091522269b4887409dbe1a63e8ec2c0769e51fbe02a8d3645c0681929a052655f403b9899b61c9172319fb272a9c66b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSw6108.exe
      Filesize

      530KB

      MD5

      d269c6ed9a420b59c67320410d93e4b2

      SHA1

      1ebaf4fd6e3ea93b5ea1a89f3b8e6e4965615d27

      SHA256

      42ee23989b12145f46bd4ca4f426bfca1f3e66794621702e7e818513043310c7

      SHA512

      1f1c305d6977bd7db62e3685432dd2f897328d960708d81c612cc7c97c02f88900d058e11001b70244a74d29565f856ee96dacef5072b46d29b22d7f9265ebc4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr753666.exe
      Filesize

      12KB

      MD5

      f42c5e225d737b9c3fee86c53fcde9e1

      SHA1

      194f0b1858498d790ffc30a750e689f8677a76e2

      SHA256

      d3362dd3c549e8bf353de30125a3730b33efac4e127bd0eb24eb66a197ec09e0

      SHA512

      6b0560f2b4e11bf154311db52d8cb4e04b8d2ee21fd26d1cefece829d13541fa0c3194115175a8d65c1c3f9fe86eb68b5eb74ec6bf374ca3aa5b87b4b8c90a92

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku974246.exe
      Filesize

      495KB

      MD5

      68024fadcf43a4aa9dab1c9083b5d374

      SHA1

      a8ec5dfddc20546692bc8df24e04fbbe4d40d9fc

      SHA256

      7ab24d4414baf942371639f79714ca3d25f41c122b5fcb389926ef8e8d3c56fe

      SHA512

      f65788865d89e9c812cc08b60ee0a26d1fc5a0d4d71f75e8ca5050014b1846914a4bf799daf2aebba0ae477381f9f78892124b15375bbcc26b5372d9810b149d

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/2892-2128-0x0000000000450000-0x000000000047E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2892-2129-0x00000000025D0000-0x00000000025D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3020-53-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-43-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-29-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-33-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-77-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-75-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-87-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-85-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-83-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-81-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-79-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-73-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-69-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-67-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-65-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-63-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-61-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-59-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-55-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-22-0x0000000005060000-0x0000000005604000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3020-52-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-49-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-47-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-23-0x0000000005650000-0x00000000056B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3020-41-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-39-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-37-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-35-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-31-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-27-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-71-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-57-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-45-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-25-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-24-0x0000000005650000-0x00000000056AF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3020-2104-0x0000000005890000-0x00000000058C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3020-21-0x0000000004EA0000-0x0000000004F06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5048-15-0x0000000000030000-0x000000000003A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5048-14-0x00007FFD35843000-0x00007FFD35845000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5796-2117-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5796-2118-0x0000000007C20000-0x0000000007C26000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5796-2119-0x0000000005EC0000-0x00000000064D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5796-2120-0x00000000059F0000-0x0000000005AFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5796-2121-0x0000000005920000-0x0000000005932000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5796-2122-0x0000000005980000-0x00000000059BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5796-2123-0x0000000005B00000-0x0000000005B4C000-memory.dmp

      Filesize

      304KB

      Download