Overview

overview

10

Static

static

3

ae2e961e7c...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae2e961e7c568f8fcc048e2568ff8ebf33a498e68eed64629e8d7a13f980d5e3.exe

  • Size

    684KB

  • MD5

    6da5eb3c030777c30b8e48555c5b9663

  • SHA1

    9d8d51a132031e035a0692f1e19cbfb876a3091a

  • SHA256

    ae2e961e7c568f8fcc048e2568ff8ebf33a498e68eed64629e8d7a13f980d5e3

  • SHA512

    1989c154f34ac0bf613fca194c7ca84ced473d5334282a67765031e6579b4ad9cd3df281ad453a01d71201f150e061c220024875c46e01d406546a0ccb554793

  • SSDEEP

    12288:NMrcy90bFX6gTeEmg5MczvCRp9in/BNl5S9A54FI8wbyeDQqv2xrN5IcZoq+2DWe:ZyOKgTexyCRpsnJN2/GPDLgrI2DWXa3

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae2e961e7c568f8fcc048e2568ff8ebf33a498e68eed64629e8d7a13f980d5e3.exe
    "C:\Users\Admin\AppData\Local\Temp\ae2e961e7c568f8fcc048e2568ff8ebf33a498e68eed64629e8d7a13f980d5e3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwS4207.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwS4207.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr732069.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr732069.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku663889.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku663889.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1136
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1380
          4⤵
          • Program crash
          PID:4676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr512396.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr512396.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2148
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1060 -ip 1060
    1⤵
      PID:1148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr512396.exe
      Filesize

      169KB

      MD5

      429372ca33b0f90e3c9810fd02876039

      SHA1

      a93190ceb13d218362d053c8e37726ee99e623ae

      SHA256

      aeb97a03510d8c1be7d17b76cbe11fd757e5b5645346aabc8559c188cecb412d

      SHA512

      0becde870c714fffaea26467f007372eed2d132c2b3a701cf41f4887a4acac667ef98cd5eeea83ab439f81f840a822b2d1686f14010d8a27f2c66c7f5f46c71a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwS4207.exe
      Filesize

      530KB

      MD5

      c20c92d3e183d895adfea3f8d81f7ac3

      SHA1

      8063273fad6de04e1187249359dd44a29a6583ab

      SHA256

      cc7efbbbb488521f83e4b64aec829ae231f34c245946d9a9dd746e512e4edc1e

      SHA512

      e7e1330ff27642b4b7362b8e7c72276f0164e83c5003454d02844093a079945539957d7d50444c72a885f5e996d575f10d6b9ec0c486b520f972298053d6f00d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr732069.exe
      Filesize

      12KB

      MD5

      056082f7d5718fd4a052ec61cbd73dae

      SHA1

      b259eae4ea77060e73172da1fde09ac16b802de4

      SHA256

      4f279ea7fd71ab95b9bafc1b6fefc9cc8b0cf20378941665f55f278f38b4b677

      SHA512

      eff8d868960813137fbee9ed4217f955f28691c4f356e601125a9f2f7542ba43e0ac3413c444396fd44cbbd8a2d77f7dbfd0958a937a84d2b0291a1f72eae8d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku663889.exe
      Filesize

      495KB

      MD5

      58e176442290b987b25a5b689a5196a6

      SHA1

      ec4464dce1a8342aa6e7d2ef8675484893fb5075

      SHA256

      c65c5df2d95d10a86124387f0ce01c38e0e40e363c129c7a343c74f058088a8b

      SHA512

      f4d75daa0ad1cac7cf059e6129637df4004a0f13624c2877627e1e6ad7757f54cf5581d3c91b0523cb3c44a161f2fc3f59ae75a529af1a456ec0902f7a6acb58

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1060-54-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-86-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-24-0x0000000005570000-0x00000000055D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1060-25-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-40-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-88-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-44-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-84-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-82-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-80-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-78-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-42-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-74-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-72-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-70-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-66-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-64-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-62-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-60-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-58-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-48-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-22-0x0000000004DC0000-0x0000000004E26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1060-52-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-50-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-56-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-23-0x0000000004F80000-0x0000000005524000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1060-76-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-38-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-36-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-34-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-32-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-30-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-28-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-26-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-68-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-46-0x0000000005570000-0x00000000055CF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1060-2105-0x0000000005760000-0x0000000005792000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1136-2118-0x0000000000E30000-0x0000000000E60000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1136-2119-0x0000000005610000-0x0000000005616000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1136-2120-0x0000000005DC0000-0x00000000063D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1136-2121-0x00000000058B0000-0x00000000059BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1136-2122-0x00000000057C0000-0x00000000057D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1136-2123-0x0000000005820000-0x000000000585C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1136-2124-0x0000000005860000-0x00000000058AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2148-2129-0x0000000000B00000-0x0000000000B2E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2148-2130-0x0000000005320000-0x0000000005326000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5044-14-0x00007FF878343000-0x00007FF878345000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5044-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5044-16-0x00007FF878343000-0x00007FF878345000-memory.dmp

      Filesize

      8KB

      Download