Overview

overview

10

Static

static

3

50b8b64b03...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 23:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b8b64b03f84521f3fcae1e365fef8797b9c297389ddfe805e9dd71f7da408b.exe

  • Size

    1.2MB

  • MD5

    60a2aefdd5060be6c57220b96c23e2ac

  • SHA1

    a88aff33a6e2c375216dc334657cd25c6b94a6f6

  • SHA256

    50b8b64b03f84521f3fcae1e365fef8797b9c297389ddfe805e9dd71f7da408b

  • SHA512

    e134bc2b4e285157e318424b908a6b0e91ece611c1994cf6b76120dbe9e0d62e7e56cf75fba256ec8306635f53a6f73c1d4e533b796e43cde9562aab982abba6

  • SSDEEP

    24576:FyBO7igaQyqj4J8Hgak24X+EBosDeYaHhrte0ky:gBTffmu0gak5B6i

Score
10/10
healerredlinedizaladadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diza

C2

185.161.248.90:4125

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b8b64b03f84521f3fcae1e365fef8797b9c297389ddfe805e9dd71f7da408b.exe
    "C:\Users\Admin\AppData\Local\Temp\50b8b64b03f84521f3fcae1e365fef8797b9c297389ddfe805e9dd71f7da408b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460181.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460181.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027527.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027527.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr769338.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr769338.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:224
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1088
            5⤵
            • Program crash
            PID:3740
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu934106.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu934106.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1388
            5⤵
            • Program crash
            PID:2944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk943789.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk943789.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3816
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 224 -ip 224
    1⤵
      PID:376
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1812 -ip 1812
      1⤵
        PID:2020

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460181.exe
        Filesize

        862KB

        MD5

        5ee0f3b1dad07c2a4e921bab3f42e70a

        SHA1

        aab2614f86c1d7387c4804c5403399b8d97db221

        SHA256

        b2e22f5d3c4855d64cd0e36db93fbd60bad7da03a3f6261582acc024544063a5

        SHA512

        f5d27e1c19e4d0716f287bc178f06dcca38d4da50ad266d41053709054a95a6bb94f05b3381d30a8db619e2c19d96a82425dc43d717e269b44ac2c67595ef94c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk943789.exe
        Filesize

        168KB

        MD5

        c52ebada00a59ec1f651a0e9fbcef2eb

        SHA1

        e1941278df76616f1ca3202ef2a9f99d2592d52f

        SHA256

        35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

        SHA512

        6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027527.exe
        Filesize

        708KB

        MD5

        6c2aae4e41e32e6488e749de4602d188

        SHA1

        44f199438f30027113fd408a617dabdf2c91a360

        SHA256

        5ed2b797b100394adef1596b0882ca5576e19cd1bffc665d426d8dee74d21e87

        SHA512

        c63a0276ca30a374c62ced41cc72712c69d590757bd9dca18e7708926c1a1f3cd6fbe740202636000c80ee44b1b74b912938899864e5ffc55249c0e267b0086a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr769338.exe
        Filesize

        405KB

        MD5

        ad5d2fbc5e70b34cb1d4598c186a65aa

        SHA1

        56e6b12a82a3f1382cd3e8cc7cef2288de56efd2

        SHA256

        eb534259087377b6c4fa14476823b2a2a507210f4acbc776b5725cad28f0ccb0

        SHA512

        80ef799e5d1377c0355c2ec40a57d32dbc7561fe681cc20ac9f09bfbb0677dfbf6f149f17a17dc2d450dd4d78adb1941dfd6bd30f37a4ec55633700c9c87c82e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu934106.exe
        Filesize

        588KB

        MD5

        0537354f085697d3e60e717f214482f8

        SHA1

        733478d11ff42070f276981f8af44b13a6b6df3c

        SHA256

        27c15755033a22a57c7c6b2f637697ecfbaf796a4212804defb79f7e27615bf9

        SHA512

        ac4137dd44609597b8a81f37b8e690bc3171164ed0fecbe1194a034abe7d6b354fc5eaf7e5bfac0b3e5d3877b8b2fc4d5c83cab7168f5f8322188f553212c346

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        03728fed675bcde5256342183b1d6f27

        SHA1

        d13eace7d3d92f93756504b274777cc269b222a2

        SHA256

        f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

        SHA512

        6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

        Download Submit

      • memory/224-42-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-34-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-36-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-25-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-52-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-50-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-48-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-26-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-46-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-44-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-22-0x0000000002630000-0x000000000264A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/224-40-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-38-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-24-0x00000000027E0000-0x00000000027F8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/224-32-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-30-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-28-0x00000000027E0000-0x00000000027F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/224-53-0x0000000000400000-0x000000000080A000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/224-55-0x0000000000400000-0x000000000080A000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/224-23-0x0000000004F20000-0x00000000054C4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/856-2218-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/856-2219-0x0000000005810000-0x0000000005E28000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/856-2217-0x0000000000800000-0x000000000082E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/856-2227-0x0000000005230000-0x000000000527C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/856-2220-0x0000000005300000-0x000000000540A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/856-2223-0x00000000051F0000-0x000000000522C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/856-2221-0x0000000005170000-0x0000000005182000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1812-60-0x00000000026D0000-0x0000000002738000-memory.dmp

        Filesize

        416KB

        Download

      • memory/1812-89-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-87-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-85-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-81-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-77-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-75-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-73-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-71-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-67-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-93-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-79-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-91-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-95-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-83-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-69-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-61-0x0000000002A20000-0x0000000002A86000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1812-65-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-63-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-62-0x0000000002A20000-0x0000000002A80000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1812-2204-0x0000000005780000-0x00000000057B2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3816-2228-0x0000000000990000-0x00000000009C0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/3816-2229-0x0000000005170000-0x0000000005176000-memory.dmp

        Filesize

        24KB

        Download