Overview

overview

10

Static

static

3

684bc1b262...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    684bc1b262a497ed46f48d206005da97e82bc50d50e236feab0396746218f259.exe

  • Size

    852KB

  • MD5

    2b9a4061be08d9ed11bb133c1001d238

  • SHA1

    5523a3dc826fd709cb74ddc2064723c82f392da5

  • SHA256

    684bc1b262a497ed46f48d206005da97e82bc50d50e236feab0396746218f259

  • SHA512

    745096b2a5b87026d56dfa182664af1e94b1924c2ecc31b13931ac309598769d58fb0e23e01e3bea22b91bc8aedbd2863a64da70df1b44c5724df826be954e44

  • SSDEEP

    24576:ByqrzyTz9By9UaD4AlWvQktMIQOGrSJx4GlPF6a:0qrzyTzjytevztfvG6x4j

Score
10/10
healerredlinedizaladadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diza

C2

185.161.248.90:4125

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\684bc1b262a497ed46f48d206005da97e82bc50d50e236feab0396746218f259.exe
    "C:\Users\Admin\AppData\Local\Temp\684bc1b262a497ed46f48d206005da97e82bc50d50e236feab0396746218f259.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un962316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un962316.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr992912.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr992912.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1092
          4⤵
          • Program crash
          PID:3384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu796803.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu796803.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5264
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1332
          4⤵
          • Program crash
          PID:796
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si671424.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si671424.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2716
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4488 -ip 4488
    1⤵
      PID:1140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2412 -ip 2412
      1⤵
        PID:3604

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si671424.exe
        Filesize

        168KB

        MD5

        c52ebada00a59ec1f651a0e9fbcef2eb

        SHA1

        e1941278df76616f1ca3202ef2a9f99d2592d52f

        SHA256

        35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

        SHA512

        6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un962316.exe
        Filesize

        698KB

        MD5

        906faf847bacfbae52ac84bfa94ff72d

        SHA1

        f4d1281086881d6d3aa13e9dc72f78d23837a35a

        SHA256

        e7e083acf9f26bea42015f06d7814b81c46a8c0c4360db12ff07ac9d496f104e

        SHA512

        f520109cb9c807b9ab797a75f0b584c622a6f860ffc9d01d15ec4c1742e389ade8c47046fa054ca11cbe52be0913eb0eba23517b9a08c529e633260a8fa5b253

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr992912.exe
        Filesize

        403KB

        MD5

        f29a783444a7ac89f233178741e41ca9

        SHA1

        ef0fdbb1ea15a92ae1bcaeee472b36948cd3e63a

        SHA256

        e84690dd23089103aa3583a10d0910d42f9e1ac69cd3b162f2312a70d50dc790

        SHA512

        55d92c369c052e5c09e0214868f6b2612c6d19ea67656957e3af9a728943f0b047a6cf303f1ea8c7ca9b99d5dc53f36c7ab82ea900a8b6f6f0b3c98df19acfc9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu796803.exe
        Filesize

        586KB

        MD5

        9d2239b8f1e2b764eadde19d20c89827

        SHA1

        93565ca4acaeb9b09d9d35387b60ce6a5f8fbed8

        SHA256

        b0602ef359a9b98d4f908c109ca7135a0cccd5cf05084615466151bb83093a26

        SHA512

        4cd92a69638f8ad0c5206e95ee16b2db3ad9527de5abb9af2bededcc72bae56fa5386909fbdb6d93d920f70788819f6c2b01e92ecf3b061340efe6d54eecb625

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        03728fed675bcde5256342183b1d6f27

        SHA1

        d13eace7d3d92f93756504b274777cc269b222a2

        SHA256

        f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

        SHA512

        6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

        Download Submit

      • memory/2412-66-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-74-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-62-0x0000000004E40000-0x0000000004EA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2412-72-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-2205-0x0000000005750000-0x0000000005782000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2412-70-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-96-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-63-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-88-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-64-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-68-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-61-0x0000000004DD0000-0x0000000004E38000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2412-76-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-78-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-82-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-84-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-86-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-90-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-92-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-94-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2412-80-0x0000000004E40000-0x0000000004EA0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2716-2229-0x0000000000340000-0x0000000000370000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2716-2230-0x0000000004B50000-0x0000000004B56000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4488-29-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-17-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4488-55-0x0000000000400000-0x0000000000809000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4488-56-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4488-52-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4488-51-0x0000000000970000-0x000000000099D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4488-47-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-50-0x00000000009F0000-0x0000000000AF0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4488-22-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-23-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-25-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-19-0x0000000002760000-0x000000000277A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4488-31-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-33-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-35-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-37-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-39-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-18-0x0000000000400000-0x0000000000809000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4488-41-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-43-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-45-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-49-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-27-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4488-16-0x0000000000970000-0x000000000099D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4488-20-0x0000000004EE0000-0x0000000005484000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4488-21-0x0000000002960000-0x0000000002978000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4488-15-0x00000000009F0000-0x0000000000AF0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5264-2221-0x0000000004D80000-0x0000000004E8A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5264-2222-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5264-2220-0x0000000005290000-0x00000000058A8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5264-2227-0x0000000004D00000-0x0000000004D3C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5264-2228-0x0000000004E90000-0x0000000004EDC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5264-2219-0x0000000004B00000-0x0000000004B06000-memory.dmp

        Filesize

        24KB

        Download

      • memory/5264-2218-0x0000000000330000-0x000000000035E000-memory.dmp

        Filesize

        184KB

        Download