Overview

overview

10

Static

static

3

ad1c221552...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad1c221552d06f371ef28cf0d829ebb2d6e761538c03252b57edeacb1b53396c.exe

  • Size

    814KB

  • MD5

    cc6a5cefa6d4d1f5e7ed0a0660e092aa

  • SHA1

    dcdf4b8081af60015fe4f10ff50bf0cd816f6875

  • SHA256

    ad1c221552d06f371ef28cf0d829ebb2d6e761538c03252b57edeacb1b53396c

  • SHA512

    a3ae3ac7f7814d447ec8253e1f587fb399ac1bd6857147b6a9d8583e8901fb96f52fcdce9597a81f0feb09dc54ce5fe235a3cd2cfbe4c69db96b803f031f6280

  • SSDEEP

    12288:SMrIy9072kDVNCCELKNVKggJ51AH3wHQKDb4tagLv+3HMsxAXiLOoxt/y74GMvaB:eyanCFLMEVBu+XD0L6HlIbOk4GDB

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad1c221552d06f371ef28cf0d829ebb2d6e761538c03252b57edeacb1b53396c.exe
    "C:\Users\Admin\AppData\Local\Temp\ad1c221552d06f371ef28cf0d829ebb2d6e761538c03252b57edeacb1b53396c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un301861.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un301861.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4052.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4052.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1028
          4⤵
          • Program crash
          PID:2112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7756.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7756.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3168
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1528
          4⤵
          • Program crash
          PID:5240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si535612.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si535612.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2508 -ip 2508
    1⤵
      PID:220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4992 -ip 4992
      1⤵
        PID:5180

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si535612.exe
        Filesize

        169KB

        MD5

        11c0ab1409f39648488afb2af31b2db2

        SHA1

        9c1061e5079baa950b0a2bb8ae80bcd32e33c40c

        SHA256

        268d46825828827cb23c1f6503b537c95be63aa5fdfe39a59b9d0bc1efd5d230

        SHA512

        9241349c7c3859ba7221cf7ed742d323a373f7beadc3e994fd720e7c999bcb901380e9a81b842f58e791022a6d634d4c9158dbd185ffbaa7bab6cc072dd0bc05

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un301861.exe
        Filesize

        660KB

        MD5

        d9a7ba75bf38ae47f52c70fdc86e4742

        SHA1

        f26dc69975d298b3288580129ebef2eb291b485a

        SHA256

        23c7f6275b3e4901df1c7465a6ab646d762f323e0b0ad25efb6499f3ffb0d66b

        SHA512

        78b6c07af7f4bf052c1a122c5e9b22be577b8eec0b72b8a16bb0ce82f8f7a7f604bdee087d02c55db804dd4fa34d15fd0a8e6a625b903d07e03d4293619e2a44

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4052.exe
        Filesize

        312KB

        MD5

        09ba8a2191cce743040428e487da2ac1

        SHA1

        92aad7a0efe37d57a70fdda12f1e9e16c21b2694

        SHA256

        430dd384858f63ddbf8dc1f373afb979ffb9dcecaf5b4df6367a9ad599fd16f6

        SHA512

        0ee821df9e1966b6f54bb2d2d1e6282cd20ab3561927ea7534f81aa12215eac805aade48bd459af8b28e9452506d1d8df905683b38fefc2cca349f160cc8927b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7756.exe
        Filesize

        495KB

        MD5

        8d7efaf283e711665e7695f90e954115

        SHA1

        34b65f5cc5206bc397a132c7544568d5cc7156b9

        SHA256

        8bcb615539c5014e15d312ca0eef02e5326381f68a97710558c6f5f9d114e813

        SHA512

        787831ec6bd509d7cb2db71df4a67d2723fbd3454f1bacbd15c00d3f124e3deeab9184c9be0215120123114a3fb43bb0ad22f823689755192f8823f7621ac280

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        1073b2e7f778788852d3f7bb79929882

        SHA1

        7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

        SHA256

        c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

        SHA512

        90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

        Download Submit

      • memory/2508-41-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-37-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-18-0x0000000000400000-0x0000000000802000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2508-19-0x0000000002880000-0x000000000289A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2508-20-0x0000000004E30000-0x00000000053D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2508-21-0x0000000004DB0000-0x0000000004DC8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2508-25-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-49-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-47-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-45-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-43-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-16-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2508-39-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-17-0x0000000000400000-0x0000000000802000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2508-35-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-34-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-31-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-29-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-27-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-23-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-22-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2508-50-0x00000000009E0000-0x0000000000AE0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2508-51-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2508-54-0x0000000000400000-0x0000000000802000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2508-55-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2508-15-0x00000000009E0000-0x0000000000AE0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3092-2167-0x0000000000DB0000-0x0000000000DB6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3092-2166-0x0000000000480000-0x00000000004AE000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3168-2155-0x0000000000800000-0x0000000000830000-memory.dmp

        Filesize

        192KB

        Download

      • memory/3168-2158-0x00000000052B0000-0x00000000053BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3168-2156-0x00000000029B0000-0x00000000029B6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3168-2157-0x00000000057C0000-0x0000000005DD8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3168-2161-0x0000000005230000-0x000000000527C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3168-2160-0x00000000051E0000-0x000000000521C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3168-2159-0x0000000005070000-0x0000000005082000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4992-89-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-91-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-83-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-81-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-79-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-75-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-73-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-71-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-67-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-65-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-61-0x0000000005580000-0x00000000055E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4992-87-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-93-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-96-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-60-0x0000000002A50000-0x0000000002AB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4992-77-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-69-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-85-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-63-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-62-0x0000000005580000-0x00000000055DF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4992-2142-0x0000000005750000-0x0000000005782000-memory.dmp

        Filesize

        200KB

        Download