Overview

overview

10

Static

static

3

b5fa545437...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5fa545437628da988c0acaf2812778deb03356a0d60096920b5aad7f11fbada.exe

  • Size

    684KB

  • MD5

    66ccb6290b9517973a2536c6a63ce55d

  • SHA1

    13e2c69cd15e558bb1ee6823d17ae0413e492f70

  • SHA256

    b5fa545437628da988c0acaf2812778deb03356a0d60096920b5aad7f11fbada

  • SHA512

    21003194adaad3cc6c6e2e8dfe905455f076d5c31bb861c5c78b037274b5f3085f2ed9fc9c41bfd3ecee273a9e5f326657a49d23f449b0382ab6b8a7542030bc

  • SSDEEP

    12288:+MrVy90UkTFR2AlY3i9k90ye1nj4L27FYSG12LrSQ7f15yEfwJ1OXnqS:3yghxnk90yl2GluXf15y0jXnb

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5fa545437628da988c0acaf2812778deb03356a0d60096920b5aad7f11fbada.exe
    "C:\Users\Admin\AppData\Local\Temp\b5fa545437628da988c0acaf2812778deb03356a0d60096920b5aad7f11fbada.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHj6914.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHj6914.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr441762.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr441762.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku760359.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku760359.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:6348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1176
          4⤵
          • Program crash
          PID:6612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr249128.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr249128.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:6816
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2604 -ip 2604
    1⤵
      PID:6548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr249128.exe
      Filesize

      169KB

      MD5

      c473c04e0a9b580e7ade77f0cf07a670

      SHA1

      1ab5a052f4b4729ca8c8e8433e963ae90519dfb0

      SHA256

      b0613827b045785e96c535c6ddd99fa8e04f93b73dd3220587f17884ec31469a

      SHA512

      d5df723d2c69c20fd32834b1233ea1e84f14d471c156ae0450cc1c330d3f5bbcd89fc022147756627ea98fce4d6e16afb179458b90d0a9554942e120e9faedf0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHj6914.exe
      Filesize

      530KB

      MD5

      cf8c96513753595e188e0aed4953c610

      SHA1

      7380e7c18a509a9ae513b4fc06dfc627928c7f93

      SHA256

      d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57

      SHA512

      200fcfb234ebe56d769d83f7ea4a4c3bbad1825b51db0c5de031ca1d3bdf3f1334d7f34c2d693f5437921728705066c29f61b137d0d813f0823f729e216d1d1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr441762.exe
      Filesize

      12KB

      MD5

      ad75ca6ec8b6a9087ed85a88c0e04fea

      SHA1

      8e2a78c537bf1d8fd0d487837bd0baf9bbefe1d8

      SHA256

      5b101583de60ad2876b768b8254ee40a792b649487fba6fcc2f3bbeb96d520eb

      SHA512

      53b984c7605f4baf323849a50b7c7fe312161eb88eb10f0bb92a3e817b839c03bbb32e723daa8cfefdb6ff94ce9753b79eff67aeb77cc325a6cbb86204908823

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku760359.exe
      Filesize

      495KB

      MD5

      750207b822afb581b0c1adef5099cfd2

      SHA1

      9358add7abfd23d55e93f655a050a0c360177498

      SHA256

      2474bcd1774f17cc4f918cd7753da851f4cd17b9ad77a17e8dcdcf64b8663151

      SHA512

      5308a583b698974cd109d21e315f30030dd636a3f4b9bf982e2a9364c8f5fbd701723d3930e6bbec52356c7829543c201092bc6e56c80dec6610d8eaa65e79f0

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/2604-50-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-84-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-24-0x0000000005540000-0x00000000055A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2604-28-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-40-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-86-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-38-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-82-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-80-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-78-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-76-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-36-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-70-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-69-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-66-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-64-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-62-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-60-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-56-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-54-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-44-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-22-0x0000000002B60000-0x0000000002BC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2604-48-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-46-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-52-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-23-0x0000000004F50000-0x00000000054F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2604-74-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-34-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-32-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-30-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-88-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-72-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-58-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-42-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-26-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-25-0x0000000005540000-0x000000000559F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2604-2105-0x0000000005750000-0x0000000005782000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4380-14-0x00007FFE0A503000-0x00007FFE0A505000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4380-15-0x0000000000D30000-0x0000000000D3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4380-16-0x00007FFE0A503000-0x00007FFE0A505000-memory.dmp

      Filesize

      8KB

      Download

    • memory/6348-2118-0x00000000001D0000-0x0000000000200000-memory.dmp

      Filesize

      192KB

      Download

    • memory/6348-2119-0x0000000002370000-0x0000000002376000-memory.dmp

      Filesize

      24KB

      Download

    • memory/6348-2120-0x0000000005210000-0x0000000005828000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/6348-2121-0x0000000004D00000-0x0000000004E0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/6348-2122-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/6348-2123-0x0000000004AA0000-0x0000000004ADC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/6348-2124-0x0000000004C00000-0x0000000004C4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/6816-2129-0x0000000000750000-0x000000000077E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/6816-2130-0x0000000002A60000-0x0000000002A66000-memory.dmp

      Filesize

      24KB

      Download