Overview

overview

10

Static

static

3

7e7cc0a345...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e7cc0a34510907267aabba1d2894fe8da8cac06376e162522aa3c3dc151342b.exe

  • Size

    651KB

  • MD5

    9a63c3084c7a70e97619ca768a21f26d

  • SHA1

    da019f185ebd7904f1cbc33db534c3b41fe9e2ee

  • SHA256

    7e7cc0a34510907267aabba1d2894fe8da8cac06376e162522aa3c3dc151342b

  • SHA512

    5bf5edded98bde06b23f2626d509dd4bef2a5a1136c250bb9360143b2ae73a8be6dacaa9d325295ad71d506d774b44cf41ca8061d4c5e86df45c8d359073351d

  • SSDEEP

    12288:OMrRy906R/3MRy7zQcWgJ7dzCt38UbhXO+uH9/dcn+MP0+E:/y73zYcv5d2t38eVuTvkE

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e7cc0a34510907267aabba1d2894fe8da8cac06376e162522aa3c3dc151342b.exe
    "C:\Users\Admin\AppData\Local\Temp\7e7cc0a34510907267aabba1d2894fe8da8cac06376e162522aa3c3dc151342b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziId4202.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziId4202.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr454031.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr454031.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku918387.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku918387.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1156
          4⤵
          • Program crash
          PID:5944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr688333.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr688333.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:6064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2108 -ip 2108
    1⤵
      PID:5872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr688333.exe
      Filesize

      168KB

      MD5

      72f7f7cbd5aefb87401a763949adeaf5

      SHA1

      de47128b6dd5af0efa5bb3b0782b1964bcced3bc

      SHA256

      f6a7262f3d62588d0ffd4b7350044427e8b40b510bdf4067ef0bdd6232a6aacc

      SHA512

      b06a2601747e0d27b9362356862c1876735297ff0658fd47f4b0db465222518391eb0fc6f36c673bb95de6b803ab3f85349856354b0f3dc3513e3261d367b8ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziId4202.exe
      Filesize

      496KB

      MD5

      463802aa1ff93dada757e41f3aa72aed

      SHA1

      acb6e448bdce72acdd06098cbbfcd3b900828a01

      SHA256

      058e100c29a94c762ef0c2a2f0a0d7489d61a83a7d9078f5a89d056243838d83

      SHA512

      222df19fd1e71faf464c1468bfdcc5bd27b8552b4089a7c3d76f415f0963012d43b7d444d657b174f7d8fbcb02cff8975f7061d99a30108519033156a0b03db4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr454031.exe
      Filesize

      11KB

      MD5

      e6748ab66fec2427d1856c4e5fa779b9

      SHA1

      20f6886a077f11fdf63e1f999841bd87cba5c65b

      SHA256

      3379c165a3da4905c33bde9880b687cdc1da9b992e7741e89705499a52fb30ef

      SHA512

      ab1f05c0b287cb1b9b765523862343b2c48d9769ea8fe6dd9468cf1c2aa253741b17a0b74a3c836dfc03a559745be5b55e5aa3bfe0378661ea21aec59fb8b8ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku918387.exe
      Filesize

      414KB

      MD5

      0052a5aaa808bdb70b9fb947d8876704

      SHA1

      7be83b88205fa249eb5f0e50c7b546db2d8be7f4

      SHA256

      5cb759e230b12f5ac772977a9a194c96bea76950697b07889092b4e1da25b7a5

      SHA512

      3cdbf6e4382e84d74d5badaff637be92574bf628455d9128e7767c87b024c0d838e585945e79ea81edc61dccf257e2ea167d271d913f3be46f89aa1cf2410f77

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/2108-21-0x0000000004A60000-0x0000000004AC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2108-22-0x0000000004BE0000-0x0000000005184000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2108-23-0x00000000051D0000-0x0000000005236000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2108-35-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-43-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-87-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-85-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-83-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-81-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-79-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-77-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-75-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-73-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-71-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-69-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-67-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-65-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-63-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-59-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-57-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-55-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-53-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-51-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-49-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-47-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-45-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-41-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-39-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-37-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-33-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-31-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-30-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-27-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-25-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-61-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-24-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2108-2104-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3548-15-0x00007FFEE6793000-0x00007FFEE6795000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3548-14-0x0000000000370000-0x000000000037A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5704-2117-0x0000000000D80000-0x0000000000DB0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5704-2118-0x00000000055A0000-0x00000000055A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5704-2119-0x0000000005D20000-0x0000000006338000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5704-2120-0x0000000005810000-0x000000000591A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5704-2121-0x0000000005700000-0x0000000005712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5704-2122-0x0000000005760000-0x000000000579C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5704-2123-0x00000000057B0000-0x00000000057FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/6064-2128-0x00000000002C0000-0x00000000002EE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/6064-2129-0x0000000004AA0000-0x0000000004AA6000-memory.dmp

      Filesize

      24KB

      Download