Overview

overview

10

Static

static

3

30309c2730...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30309c27300dd09343f27569c5dab9aa4e156537a1e416d04a893c7184470440.exe

  • Size

    854KB

  • MD5

    df9b4263be40f52d3d3812f9b4fcda23

  • SHA1

    de10629f58ce37e4f33d50b49064a95fa892b731

  • SHA256

    30309c27300dd09343f27569c5dab9aa4e156537a1e416d04a893c7184470440

  • SHA512

    6b530511d701a131988b335e51bc4028493b5e0f6dc8cb410b181b84d496b0baf2375bb0ebb203f1339d4e7b74d9b601586af1ef637038aed6fa6fb7b82c9fc1

  • SSDEEP

    24576:XygjhE77y5bArIam3HKpnjPLyf6DK3lXyq:ih7yBz3HgnrLyf3o

Score
10/10
healerredlinedizaladadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diza

C2

185.161.248.90:4125

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30309c27300dd09343f27569c5dab9aa4e156537a1e416d04a893c7184470440.exe
    "C:\Users\Admin\AppData\Local\Temp\30309c27300dd09343f27569c5dab9aa4e156537a1e416d04a893c7184470440.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMr0776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMr0776.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziLg5383.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziLg5383.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it124978.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it124978.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2028
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr167056.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr167056.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3612
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:5992
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1504
            5⤵
            • Program crash
            PID:4348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp101868.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp101868.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4568
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3612 -ip 3612
    1⤵
      PID:2908
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMr0776.exe
      Filesize

      671KB

      MD5

      51bc966590619ced8f21c20f6cc67907

      SHA1

      915b1af3e27c1d9c0671fcdd68d06facc04b4574

      SHA256

      86836ebea78c5ec4260130ec80be0d09f200a63c64c81e3e3ca95266ba53a759

      SHA512

      91bd8ff2832b60f60ea8c66c4d26e3899d18ed88eef5ecded31352ec5956fe76f132982cf2208d13d95d9c2de3ea1ebf5a1bfd678909986b36afcd1096a8d505

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp101868.exe
      Filesize

      168KB

      MD5

      c52ebada00a59ec1f651a0e9fbcef2eb

      SHA1

      e1941278df76616f1ca3202ef2a9f99d2592d52f

      SHA256

      35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

      SHA512

      6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziLg5383.exe
      Filesize

      518KB

      MD5

      cf5302edd23cfd9f8448a4e06362b959

      SHA1

      7014515bf64536178bbec57366c17a9fe875c7a7

      SHA256

      d22895e42bd70cf8d1c979d0d4ea2fd1269c9dd4753c1c9c7322b267d7f881ec

      SHA512

      af0c3426c4901cf9e36538e35a30afbbe6ad81569f0a834c2989015c21a55b1b3de02f779c4fb9a0fff1ff6beee509ed07941fb3be9b9486a4941b4b32ca5ede

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it124978.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr167056.exe
      Filesize

      438KB

      MD5

      8f28b151354ad8609ee05ccf8b1aaf1b

      SHA1

      b010d85c26dfcf016dad69e99260282ad01f7a4d

      SHA256

      31542e9bbd9abfecdf34d2cd1bb09dd6993d0d42a02ac288fc83bcaf49b4de10

      SHA512

      b52208629e8b0b8e803cbecd7f46b72ccd71f681a9928fc09b83cd1de24f726ba5ec57597054a3d7e84d5d0a750cb08c06ee4d10835591b7eb90cce2820c5961

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      03728fed675bcde5256342183b1d6f27

      SHA1

      d13eace7d3d92f93756504b274777cc269b222a2

      SHA256

      f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

      SHA512

      6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

      Download Submit

    • memory/2028-21-0x00007FF95A023000-0x00007FF95A025000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2028-22-0x00000000008C0000-0x00000000008CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2028-23-0x00007FF95A023000-0x00007FF95A025000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3612-69-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-53-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-31-0x00000000051C0000-0x0000000005226000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3612-33-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-47-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-95-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-93-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-91-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-89-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-87-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-85-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-83-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-81-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-79-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-77-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-75-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-73-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-29-0x0000000004B40000-0x0000000004BA8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/3612-67-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-65-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-63-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-61-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-57-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-30-0x0000000004C10000-0x00000000051B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3612-51-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-49-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-45-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-43-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-41-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-39-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-37-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-35-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-71-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-59-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-55-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-32-0x00000000051C0000-0x0000000005220000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3612-2174-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4568-2198-0x0000000000AD0000-0x0000000000B00000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4568-2199-0x00000000013E0000-0x00000000013E6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5992-2187-0x00000000003A0000-0x00000000003CE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5992-2188-0x0000000004BC0000-0x0000000004BC6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5992-2189-0x0000000005360000-0x0000000005978000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5992-2190-0x0000000004E50000-0x0000000004F5A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5992-2191-0x0000000004C10000-0x0000000004C22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5992-2192-0x0000000004D80000-0x0000000004DBC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5992-2193-0x0000000004DD0000-0x0000000004E1C000-memory.dmp

      Filesize

      304KB

      Download