Overview

overview

10

Static

static

3

d69a9ce226...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d69a9ce2263433f13ac757ff39da1155da86bfe96e3f86c845f666f50d605e80.exe

  • Size

    794KB

  • MD5

    c50451b364b65519f38bb8cf62f17d68

  • SHA1

    b4b16042c737281556c229c0bb40115982ca7a48

  • SHA256

    d69a9ce2263433f13ac757ff39da1155da86bfe96e3f86c845f666f50d605e80

  • SHA512

    c160e345c281a00373856b52df6b0c7617cd923aa77985b57e445a406b872966a2a9ce046b0304af34ed160a5df49418ce295114de43e723ec631c000d95035e

  • SSDEEP

    24576:ayjYgcYYw7LqON+hYn/V1zGdUM74Pqx6zF:h8DY1X+20kqx6z

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d69a9ce2263433f13ac757ff39da1155da86bfe96e3f86c845f666f50d605e80.exe
    "C:\Users\Admin\AppData\Local\Temp\d69a9ce2263433f13ac757ff39da1155da86bfe96e3f86c845f666f50d605e80.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un734386.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un734386.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7140.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7140.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1040
          4⤵
          • Program crash
          PID:4920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0942.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0942.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4472
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1512
          4⤵
          • Program crash
          PID:5216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si112761.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si112761.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5648
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5076 -ip 5076
    1⤵
      PID:4344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 116 -ip 116
      1⤵
        PID:2116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si112761.exe
        Filesize

        168KB

        MD5

        269e1e312598b0bf4213d42d1be3e0b9

        SHA1

        364ed78263a701e8549d7f7a2d90b8f007b73d50

        SHA256

        1de286fd81c34fe941b39c5636b32fa4327f2d0ff4e2f673fce0a84d441583e1

        SHA512

        9f7be7be7681bd710db38b468625b080bba8231c901bdb7e25af6d329bd011d5121b78e7cad0d868fceb33379bb1739861e703a627b484e17e68a5c7623b591b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un734386.exe
        Filesize

        641KB

        MD5

        0d720e09fc861e7c153c7b902bd709ce

        SHA1

        86c67ebb5166052b3f29a6c3e22c01c7cf235197

        SHA256

        83d944550af3e6ff4589404a07bde6a457800352a914d7d7de7d70260e8b353f

        SHA512

        45b370e42785cba80a7b0771dffff72e99e3bf54395b01a49f8a43906e5e1f2e8523ee7d7cbb8d9f628086741dce05d80645ab2a2ed4d0df280006cc91976630

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7140.exe
        Filesize

        241KB

        MD5

        bc78725b18d35389e046e95028396b42

        SHA1

        4e57e1b0aa9f0fd62b7531669f93d2f1525dd736

        SHA256

        ee311bf43aa2216a900a6f4a29d83eed55d39dbb49097f43ec282bcfe1da0d36

        SHA512

        62f2d7c91a68eca9e54d0b0a033a57766b6c791b966d964c7219db1a5cbb0eb272a78762b6eb76de6fab62b88d662e19d14fdb74b475e581ff46ba20e5675309

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0942.exe
        Filesize

        424KB

        MD5

        de1b437cfe38dc89ad2e60539e70bace

        SHA1

        bf0daf7a7a0fe347839fcf5232741f6b4718d3d9

        SHA256

        3b65a11ff7e62bad8d32381c5adf68adae31af445f1492862871c95b8c146d0e

        SHA512

        f9e978572e53274f674fdc8ee018abd71a6e3e15d33b46358c8e119b8c243460d2521a07c588df936440a5bf8195b9567fb73d0398af5b8c9ef246e9045c9d2a

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        1073b2e7f778788852d3f7bb79929882

        SHA1

        7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

        SHA256

        c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

        SHA512

        90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

        Download Submit

      • memory/116-69-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-60-0x0000000004B70000-0x0000000004BD6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/116-62-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-93-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-2142-0x0000000005400000-0x0000000005432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/116-63-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-65-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-67-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-71-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-75-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-77-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-81-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-83-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-79-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-88-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-89-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-91-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-95-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-73-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-85-0x00000000051D0000-0x000000000522F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/116-61-0x00000000051D0000-0x0000000005236000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4472-2164-0x0000000004B10000-0x0000000004B5C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4472-2155-0x00000000000A0000-0x00000000000D0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4472-2159-0x00000000023C0000-0x00000000023D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4472-2158-0x0000000004C20000-0x0000000004D2A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4472-2157-0x0000000005130000-0x0000000005748000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4472-2156-0x00000000009B0000-0x00000000009B6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4472-2160-0x0000000004970000-0x00000000049AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5076-23-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-55-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5076-25-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-27-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-37-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-17-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/5076-22-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-16-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5076-50-0x00000000004E0000-0x00000000005E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5076-19-0x00000000023B0000-0x00000000023CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5076-51-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5076-54-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/5076-18-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/5076-21-0x0000000004A40000-0x0000000004A58000-memory.dmp

        Filesize

        96KB

        Download

      • memory/5076-15-0x00000000004E0000-0x00000000005E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5076-20-0x0000000004AD0000-0x0000000005074000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5648-2166-0x00000000007F0000-0x000000000081E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/5648-2167-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

        Filesize

        24KB

        Download