Overview

overview

10

Static

static

3

7fadf9c14a...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fadf9c14a00038d6eb6df1008734b4dd4c1389c431dccc920cd0bc6964eea13.exe

  • Size

    652KB

  • MD5

    2c9544d32551746100604d84046ecb31

  • SHA1

    82a78b1a432494c33930f2ab804feaeec890b0e2

  • SHA256

    7fadf9c14a00038d6eb6df1008734b4dd4c1389c431dccc920cd0bc6964eea13

  • SHA512

    388e81cba8e1794b74621b797dd3b17db7ac039475e85200f4eb042e94c81a88050431b8c650612455571f5d61dfc1caa0a24cb5051c087592960eec1bedf14e

  • SSDEEP

    12288:GMrty902eHTaRf9A7fdJoQTUi9tiGrZIP+QYV4kIYmj7:LyReHuRfidXMPlqIX

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fadf9c14a00038d6eb6df1008734b4dd4c1389c431dccc920cd0bc6964eea13.exe
    "C:\Users\Admin\AppData\Local\Temp\7fadf9c14a00038d6eb6df1008734b4dd4c1389c431dccc920cd0bc6964eea13.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizR2278.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizR2278.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327883.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327883.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4760
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku781942.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku781942.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5500
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1380
          4⤵
          • Program crash
          PID:5788
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr867357.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr867357.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:6020
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1540 -ip 1540
    1⤵
      PID:5840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr867357.exe
      Filesize

      169KB

      MD5

      12e2201c80202361709a64e4a0e6b588

      SHA1

      c6bee9506006282b3a4e318e430bbc20d2c9282a

      SHA256

      03ce3d2291a5f9510d2a0f174e93f89f3c32cc3ab93a6ef9bcdf1f3ceb873c49

      SHA512

      7881f6e0f9c4e79db8461feb0a7bbaa0c9cd9206790756476caecbf7e2850cf288b8bc6fbfcce5ac81341f79fdf0d342dd32a60b77827c71cd1f1d1b9de92491

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizR2278.exe
      Filesize

      498KB

      MD5

      3442695883ba2a7b75cb4d601529c91a

      SHA1

      1becf00a72dd7b036b0e59c4091f4da197347377

      SHA256

      1fe05541b6218633b60011e8caa8a09f53ac6e628dca38a48aff9e7bcf3e5f5b

      SHA512

      276fe712181ba73e23912d3e1c30b7b9454f7170ccdb4f38295c181a33dae5e4847ab1c51ed77742d6c42b7f7bfc2105a927f98d4f5f1a8fb9f80ee18e4994de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327883.exe
      Filesize

      12KB

      MD5

      bc2b03b58f3c79416a89645ef264fe4b

      SHA1

      458386baa1ef65749068a7461d04447f06cc154a

      SHA256

      0d5fddccc7a9f1abb539e0a9d44d1afde859d26dcfc67410213590cd291e4ba0

      SHA512

      18d8a9321f5e45d99d9f24af392ba6a2085369ef609160bc34d8efffb90f8c49df93b45646e33b0cd95d36ccf714c4b4bd070f924c3ba6e464dc714d2b5d6b03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku781942.exe
      Filesize

      417KB

      MD5

      8aac38691fd60cf59bf8529c5fec1072

      SHA1

      c1edab6f3460a5fbdc7add26ace6a40b8f1eca56

      SHA256

      1027591b0b3a12c3bfb5ee0879b658ab0647b3e2f48622b2a5cf19b2daffc2a5

      SHA512

      90d8172bb4485e94e4e3077651ac2a3edd76c64cf22eb71936ce3b32cbfb2f237fe28cfcd505249d5faeeb5e573936311ad02b956612d5162ba286ed1fa436af

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1540-50-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-86-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-24-0x0000000005320000-0x0000000005386000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1540-36-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-82-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-88-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-72-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-84-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-80-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-78-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-76-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-52-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-70-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-68-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-66-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-64-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-63-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-60-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-58-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-56-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-44-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-22-0x0000000004D00000-0x0000000004D66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1540-48-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-46-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-54-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-23-0x0000000004D70000-0x0000000005314000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1540-74-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-42-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-40-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-38-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-34-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-32-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-30-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-28-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-26-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-25-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1540-2105-0x0000000005540000-0x0000000005572000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4760-15-0x0000000000060000-0x000000000006A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4760-14-0x00007FFBA8393000-0x00007FFBA8395000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4760-16-0x00007FFBA8393000-0x00007FFBA8395000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5500-2119-0x00000000011E0000-0x00000000011E6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5500-2118-0x00000000009C0000-0x00000000009F0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5500-2120-0x00000000059E0000-0x0000000005FF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5500-2122-0x0000000002DA0000-0x0000000002DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5500-2123-0x00000000053C0000-0x00000000053FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5500-2124-0x0000000005400000-0x000000000544C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5500-2121-0x00000000054D0000-0x00000000055DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/6020-2129-0x0000000000E80000-0x0000000000EAE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/6020-2130-0x0000000003210000-0x0000000003216000-memory.dmp

      Filesize

      24KB

      Download