Overview

overview

10

Static

static

3

4976c41a03...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4976c41a0357e392ef194a7e9bf7068dbb2d97785b6fd6eb26b88e28bfb97359.exe

  • Size

    802KB

  • MD5

    c2ca53952abce4b049a7860d98a724c4

  • SHA1

    7609b8a405f7fff48f748f8815013567d2939f48

  • SHA256

    4976c41a0357e392ef194a7e9bf7068dbb2d97785b6fd6eb26b88e28bfb97359

  • SHA512

    9b7c57fc580da88a2dbfa97562cc5676babca37630934b919fadcce9046ee0f4dc36785cb8b820ad7073fa4d76b28f315ec99e5e267fb9957da2e8dbd1307ca6

  • SSDEEP

    24576:DyaUxyveRE0KoV8b+CxcjBJlf2yClt5sT65s:WFwzoVuSjBHct5sS

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4976c41a0357e392ef194a7e9bf7068dbb2d97785b6fd6eb26b88e28bfb97359.exe
    "C:\Users\Admin\AppData\Local\Temp\4976c41a0357e392ef194a7e9bf7068dbb2d97785b6fd6eb26b88e28bfb97359.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un186101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un186101.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7661.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7661.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1096
          4⤵
          • Program crash
          PID:888
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0712.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0712.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:712
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5368
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 1524
          4⤵
          • Program crash
          PID:5472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si867540.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si867540.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5540
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4560 -ip 4560
    1⤵
      PID:3908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 712 -ip 712
      1⤵
        PID:5412
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:3948

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si867540.exe
        Filesize

        168KB

        MD5

        8a267df3fd5e6685d4e1dd2ecf12a057

        SHA1

        a6cb83662f47cf9981454dba86fa84389cfb3d2e

        SHA256

        75f69c6b0e99036638f12afe19bb4ff498cbe76c05bd168f9bd437a98c75282c

        SHA512

        40d5bccb142576f6c9821552c052541ae324fb36b9317688a83a86d51b1d1a3ab555b96151efe1d2116a25affe16251a848e7067f1f73c42c4326df6eddab678

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un186101.exe
        Filesize

        647KB

        MD5

        fa27a872263850767a283d059c52644a

        SHA1

        ffc066553f38354a4b5dffea61bc8686ead77660

        SHA256

        cb4835399dfcc9d2b8eadd11a6000a3dd6b6ec65df03a018a2eb1cf91883fbbe

        SHA512

        27d00fa9d0dbbdc77aeab5742364c535018ebcb66dac4fa4896b42b3176179aa000305b8b4c4bfc0cab20d09da1c212aed74d3939a3229c7be44a6700c6ec816

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7661.exe
        Filesize

        252KB

        MD5

        e9294e328d82142228e811613c1aa7f0

        SHA1

        acd5122a295e53cce1cb7e7c7f4c7a4cefd03bf8

        SHA256

        4513f067f44c9666338e38c64d8b4330c5b977ec457a37b9ff5a65dd6039b7b2

        SHA512

        48db38bcd06507af3ae8794edf30c7dfaff8767c3b01b52a1eef88347350bd590495fd6d34c0f03487af69e15ab340950d30a9f4db5d237f4d6c8fa4f16300e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0712.exe
        Filesize

        435KB

        MD5

        df70c6fabc48918a0b5e6904bcb48746

        SHA1

        5b78116e5cb131da927d678187de01be33cc0294

        SHA256

        a8695964913d571abbd9281246bd964cedf402b70c6c961bbb3a688c6198c7d5

        SHA512

        97ca9987ab497200836eef1598e71ab208f5d4c8ffe86a4f32f4501d223a83d7b8acdfc2e996fbc8abd90630a8720ab4ed3b3abb6884291d9299e2a6883ad491

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        1073b2e7f778788852d3f7bb79929882

        SHA1

        7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

        SHA256

        c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

        SHA512

        90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

        Download Submit

      • memory/712-68-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-61-0x0000000002630000-0x0000000002696000-memory.dmp

        Filesize

        408KB

        Download

      • memory/712-2143-0x0000000005410000-0x0000000005442000-memory.dmp

        Filesize

        200KB

        Download

      • memory/712-63-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-64-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-66-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-96-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-90-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-70-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-72-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-74-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-76-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-82-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-84-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-86-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-88-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-92-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-80-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-78-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-94-0x0000000005240000-0x000000000529F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/712-62-0x0000000005240000-0x00000000052A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4560-22-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-56-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4560-18-0x0000000000400000-0x00000000004AD000-memory.dmp

        Filesize

        692KB

        Download

      • memory/4560-52-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4560-51-0x0000000000530000-0x000000000055D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4560-23-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-38-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-50-0x00000000006A0000-0x00000000007A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4560-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-19-0x0000000002210000-0x000000000222A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4560-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-55-0x0000000000400000-0x00000000004AD000-memory.dmp

        Filesize

        692KB

        Download

      • memory/4560-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-17-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4560-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-27-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-25-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4560-21-0x0000000004A40000-0x0000000004A58000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4560-20-0x0000000004AF0000-0x0000000005094000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4560-16-0x0000000000530000-0x000000000055D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4560-15-0x00000000006A0000-0x00000000007A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5368-2157-0x00000000014E0000-0x00000000014E6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/5368-2158-0x0000000005C70000-0x0000000006288000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5368-2159-0x0000000005760000-0x000000000586A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5368-2160-0x00000000053E0000-0x00000000053F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5368-2161-0x0000000005650000-0x000000000568C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5368-2162-0x00000000056A0000-0x00000000056EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5368-2156-0x0000000000C70000-0x0000000000CA0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5540-2167-0x0000000000900000-0x000000000092E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/5540-2168-0x00000000010B0000-0x00000000010B6000-memory.dmp

        Filesize

        24KB

        Download