Overview

overview

10

Static

static

3

6bed97b996...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bed97b996fb524fe2a3c8a36d2b443e8b6107b493a5f35a2fe6112d4de7a0fa.exe

  • Size

    683KB

  • MD5

    fd0e6c7589f160b22a110e09978411e0

  • SHA1

    79c84c11994c99de68f3ec0b769179804becd40b

  • SHA256

    6bed97b996fb524fe2a3c8a36d2b443e8b6107b493a5f35a2fe6112d4de7a0fa

  • SHA512

    ed66a7974240ed2c2f73603e6b517cb34bb1cae191623ce89052908b8f08fe10496f5113e9e427530520130bcd4af6d0f096786c9a04f97c43f0707d695f9bf3

  • SSDEEP

    12288:VMrWy90Ky/nzfwq7ACa4e4Hzo+s529Y542IqwbyoDQfNnxZNor7ru6YQJcnf1:nyarsN4OaSGBD6Hs/t3cf1

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bed97b996fb524fe2a3c8a36d2b443e8b6107b493a5f35a2fe6112d4de7a0fa.exe
    "C:\Users\Admin\AppData\Local\Temp\6bed97b996fb524fe2a3c8a36d2b443e8b6107b493a5f35a2fe6112d4de7a0fa.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKm6825.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKm6825.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr324991.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr324991.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku686410.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku686410.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2020
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1508
          4⤵
          • Program crash
          PID:5700
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr182424.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr182424.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1388
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3272 -ip 3272
    1⤵
      PID:4140

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr182424.exe
      Filesize

      169KB

      MD5

      11112d1fda01799c025df699a662ba8f

      SHA1

      d917c9d035ad48a0586782cf3c1940e8fd945073

      SHA256

      0dcdd1a768a3be6553c7b420a4741c430086fc626032451477ec0488cfdb605e

      SHA512

      d696cb10a99ef61544bedf1be6b6b3f2d5e17894bd8109e45109e86b065432ec564a9991ee93e27f9969c55744629e34b61bdb9cc8b52ced8216af2c6c6bb110

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKm6825.exe
      Filesize

      530KB

      MD5

      cd5275a43ec2e222441b72437807bfa7

      SHA1

      0bf2e07e46915172464170bbeaadc3c17224369a

      SHA256

      15c34d596d1a3f1fe247832a11300fd37478ecd6e1afe66580710f63caf97941

      SHA512

      d89f6244da9e437cfd0d61a23c19650217f66922c0da47cef39d4d9a00cf568e5bdae168678117093cd99e5214ce1c7997f0b33994526dda6fd15a13a7e82f5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr324991.exe
      Filesize

      12KB

      MD5

      fb326fe292e88d46e3912c96212abc53

      SHA1

      bea325fa8cb13e6ee0522ee65b6ae737b9120ed7

      SHA256

      93b2222c6db173f592daf35ff9c13d91d38b56d413979918d2c21aae8b5e5cc1

      SHA512

      50be00f838d5a490d2fd13b25566d515ee1ea9d5eb6b63d5486e29337dc803f46f5c33b04f97e98cf2b4a1b950da0aa3e0eea5e88495822f81216619c9a68ebd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku686410.exe
      Filesize

      495KB

      MD5

      3de64d9acede2253f206a5730351287f

      SHA1

      bfaf48aede5adb149f70b36732d8c45cbba6405e

      SHA256

      ad22f49ac1c307f25ef0379b791b3c22b2a3f8c88cdcd572dbfef0e93bcde507

      SHA512

      eba5fbb32fbbfebb9163a8db711f5154e9e7ed65eb33b67464386d4c5b92eb27d53bf92153db61debbe5b8898c15f14b74e35be7de909c23828ae74eef7030ca

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1388-2130-0x0000000004F80000-0x0000000004F86000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1388-2129-0x00000000007B0000-0x00000000007DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1500-14-0x00007FFE569F3000-0x00007FFE569F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1500-16-0x00007FFE569F3000-0x00007FFE569F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1500-15-0x0000000000170000-0x000000000017A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2020-2119-0x0000000004E80000-0x0000000004E86000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2020-2120-0x00000000054E0000-0x0000000005AF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2020-2118-0x00000000005B0000-0x00000000005E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2020-2124-0x0000000005100000-0x000000000514C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2020-2123-0x0000000004F80000-0x0000000004FBC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2020-2122-0x0000000004F20000-0x0000000004F32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2020-2121-0x0000000004FF0000-0x00000000050FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3272-63-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-38-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-78-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-76-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-75-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-72-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-68-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-66-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-64-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-84-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-60-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-58-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-56-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-54-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-52-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-50-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-48-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-46-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-40-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-80-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-36-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-34-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-32-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-30-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-82-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-70-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-86-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-88-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-42-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-44-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-24-0x00000000054F0000-0x0000000005556000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3272-23-0x0000000004F40000-0x00000000054E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3272-22-0x0000000004ED0000-0x0000000004F36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3272-28-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-26-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-25-0x00000000054F0000-0x000000000554F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3272-2105-0x0000000005740000-0x0000000005772000-memory.dmp

      Filesize

      200KB

      Download