Overview

overview

10

Static

static

3

8b7b44ec3c...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b7b44ec3c543dea5c0f011f71278f9eeba2147cd0d562be89fad8c300cca554.exe

  • Size

    1.1MB

  • MD5

    2102acc6f2b08cd996047e9a56747430

  • SHA1

    95b005eb723f873c33855fd2c0044dcb728e9d81

  • SHA256

    8b7b44ec3c543dea5c0f011f71278f9eeba2147cd0d562be89fad8c300cca554

  • SHA512

    b371adbefde689b57a5052daa9fe816fb1e541fc5c377b1032d49d3d52afd19d4f18de7f2956003d5753c51a69459a85cf221de3257fd8c372afa911a5faec26

  • SSDEEP

    24576:JyX4m03gVt+F04ysmEMwn7U4Qtids9993rE6NdeDEZR1+8dTLs:8X4m03NBmEd7UQE997EpDER1BL

Score
10/10
healerredlinedizaladadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diza

C2

185.161.248.90:4125

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b7b44ec3c543dea5c0f011f71278f9eeba2147cd0d562be89fad8c300cca554.exe
    "C:\Users\Admin\AppData\Local\Temp\8b7b44ec3c543dea5c0f011f71278f9eeba2147cd0d562be89fad8c300cca554.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un372336.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un372336.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un281842.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un281842.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr604077.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr604077.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4532
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1068
            5⤵
            • Program crash
            PID:4488
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu620838.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu620838.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:344
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1220
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 1516
            5⤵
            • Program crash
            PID:1240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk538579.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk538579.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1984
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4532 -ip 4532
    1⤵
      PID:4524
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 344 -ip 344
      1⤵
        PID:2300

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un372336.exe
        Filesize

        852KB

        MD5

        6953d1e6e9a051d8d1257c9b5f0a0397

        SHA1

        b04477685081ffe808b2017aa1f545fe9c933c94

        SHA256

        97f5dd9b6b794fa7e060e085b3e9537cce929eb1fda07fc2123d10b7f14d1a20

        SHA512

        f4045be3d90a8396d9e6538b7b4087a282492022f63cd2eec299fe874e407be28fa751d775cbe215b5f29b529e0a2ebc6dd514810fdae74628af147f5cd981df

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk538579.exe
        Filesize

        168KB

        MD5

        c52ebada00a59ec1f651a0e9fbcef2eb

        SHA1

        e1941278df76616f1ca3202ef2a9f99d2592d52f

        SHA256

        35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

        SHA512

        6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un281842.exe
        Filesize

        699KB

        MD5

        612ee80ce8aa793f3f2bfa49dcaf6b72

        SHA1

        e1b2e97b0d2123c987c7e7522ade5b549cb23064

        SHA256

        385d77d076b639c635f11be86d1776f88ddf877664a27d36015d37fa47690601

        SHA512

        f7a5f025dee52cc3906e99f7b038f78200101970ac4fd05bbfae8bbb53c99fbc3fcfcdb7e64568a4aafabc7ad8f7c820751ed3e7466f84b5c1e2ba0404222a96

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr604077.exe
        Filesize

        403KB

        MD5

        fee1d5d310e0d41eda8d7d65cb9a1a5b

        SHA1

        e2c9843ac9f09ed272273b8984ba5d778eddb5f1

        SHA256

        810f294d2c829b5cc5af1b3061f6e3fcefe3f7518341773e2d3e86a8a7298123

        SHA512

        753ab3a015bf425af4df7c3c876838d5f04752f561d192d24dca6fe778428775d9a7f9e83d9383aaba2fa555dc648dc55c105b727d5c52cba00d23924d276fab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu620838.exe
        Filesize

        586KB

        MD5

        dff0629229278df8fe1a791e221af012

        SHA1

        e40c48286ab56d11a5d77d32e52fa455db0fe4e8

        SHA256

        726f3755e27da48f218ab418a9c5373f319bf1e3dd5513fc6ea51b86aeb9852c

        SHA512

        e6934c34213853bffbcbd1f2aa865c6b5431a1af9daf5e1323c7d30f9d5e5471be9759c59848d6f22f678597c3578e29b23b9965c3b9e9ce44f664d75788278f

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        03728fed675bcde5256342183b1d6f27

        SHA1

        d13eace7d3d92f93756504b274777cc269b222a2

        SHA256

        f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

        SHA512

        6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

        Download Submit

      • memory/344-66-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-2205-0x0000000002AE0000-0x0000000002B12000-memory.dmp

        Filesize

        200KB

        Download

      • memory/344-64-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-63-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-77-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-80-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-68-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-70-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-72-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-78-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-82-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-84-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-88-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-90-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-92-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-94-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-86-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-74-0x0000000002A30000-0x0000000002A90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/344-61-0x0000000002830000-0x0000000002898000-memory.dmp

        Filesize

        416KB

        Download

      • memory/344-62-0x0000000002A30000-0x0000000002A96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1220-2219-0x00000000005B0000-0x00000000005DE000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1220-2231-0x00000000027A0000-0x00000000027EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1220-2230-0x000000000A4C0000-0x000000000A4FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1220-2228-0x000000000A5B0000-0x000000000A6BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1220-2227-0x000000000AAC0000-0x000000000B0D8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1220-2220-0x0000000002880000-0x0000000002886000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1984-2229-0x00000000052D0000-0x00000000052E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1984-2226-0x0000000005220000-0x0000000005226000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1984-2225-0x0000000000940000-0x0000000000970000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4532-46-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-23-0x0000000004F10000-0x00000000054B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4532-42-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-44-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-24-0x0000000004DC0000-0x0000000004DD8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4532-30-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-48-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-50-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-52-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-40-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-38-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-36-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-22-0x0000000002580000-0x000000000259A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4532-34-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-32-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-29-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-26-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-25-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-53-0x0000000000400000-0x0000000000809000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4532-55-0x0000000000400000-0x0000000000809000-memory.dmp

        Filesize

        4.0MB

        Download