Overview

overview

10

Static

static

3

fb60ea5842...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb60ea58426ce9a5f99d5dd8f6afd2caad9785b42b47905a90fe7c3fbd9bc522.exe

  • Size

    789KB

  • MD5

    03ab78d63ef37d986c3b8c20eda2beda

  • SHA1

    7e14bdf5ee21eeb0ac4dd73bf2765b5d0004622e

  • SHA256

    fb60ea58426ce9a5f99d5dd8f6afd2caad9785b42b47905a90fe7c3fbd9bc522

  • SHA512

    ede0af790636e611f39974a0d2df3143d16a99e2937577dc04cf6cbf8fa59ff0ff1cf99dc7f093e6630f90884434d61ca953e2397aa4666f09beb9aa912688d8

  • SSDEEP

    12288:CMrzy907BR/2+nMnBmdkLKd/nuW6e1xPNWMKTSAf6ieJEZPsVQVOQRpDHLicsa5O:lyamsdkw/uI1xPNAdPQQR9rP5Vc

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb60ea58426ce9a5f99d5dd8f6afd2caad9785b42b47905a90fe7c3fbd9bc522.exe
    "C:\Users\Admin\AppData\Local\Temp\fb60ea58426ce9a5f99d5dd8f6afd2caad9785b42b47905a90fe7c3fbd9bc522.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un313474.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un313474.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9736.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9736.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1088
          4⤵
          • Program crash
          PID:3332
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1536
          4⤵
          • Program crash
          PID:4492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si512322.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si512322.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5148
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4512 -ip 4512
    1⤵
      PID:4904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5012 -ip 5012
      1⤵
        PID:1916
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:4988

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si512322.exe
        Filesize

        169KB

        MD5

        ba968b308ea7247cd11c2a9182728c8e

        SHA1

        57febab8990f86844fcefd5a7f25fc7795590fed

        SHA256

        365e475800e85e4fbc4bc3ee96c494247940232751e574bc9844720e33f179cc

        SHA512

        abbbb15aef8cb9de09bf26c42d5128809bbf80afb72d4d33abe283bda7768c31de9ffd35890a13774db3602f7adf85ff60c297c21f4893d54066cf304b56ede2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un313474.exe
        Filesize

        635KB

        MD5

        96a8043b11449e7b646bb4afebf12493

        SHA1

        878cd3c1bb1e8910339fea36dadb5dfb68ced0cd

        SHA256

        b5c8c1e19b4dc147d946e165b0dbc860977e9e87a52955e641bb2ef0429b2c0d

        SHA512

        534427a11efd3bbad82b24e53a596ec1083dde59b056e63ab39157e3dfa9a5333e7ca05838753209420c1a26ffffd06363c469b51a1bbad92860e76a14254855

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9736.exe
        Filesize

        233KB

        MD5

        1caf77969bd0c29fce35704ca51b4e39

        SHA1

        d934a2f4cb71daddfbb278e500132e448d9813ab

        SHA256

        a1205c7ed57b7fb5b66822a3b69075242687d489456e994661c54c515eb5a3a9

        SHA512

        f65ddb7b5f704f6fddf054057eed169607c0f495d43fbe9de24929ff4cc9f6aab27adab16ad56d570e8764681a54292a4643bcbea4de4ee91bc0940f5d64ee06

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exe
        Filesize

        417KB

        MD5

        226734c977d5b7e306c05795c204845f

        SHA1

        7ff694ef43ac73c9da4809c20a480c83c2adfe0e

        SHA256

        e7e39b5f256049a029014492e8adac496ea1e1d2ce921ba7e827fa37435a1b01

        SHA512

        3cc91ecf9f38fa09bc90314be6b16acd28185cd0fa9a850fe202eecea748e62dbe9a7024a60f8313afb90eee87ab154097cf6303f99ff8f0fe7b37ba4c890b6e

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        1073b2e7f778788852d3f7bb79929882

        SHA1

        7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

        SHA256

        c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

        SHA512

        90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

        Download Submit

      • memory/868-2156-0x0000000000E80000-0x0000000000EB0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/868-2157-0x0000000005610000-0x0000000005616000-memory.dmp

        Filesize

        24KB

        Download

      • memory/868-2158-0x0000000005D90000-0x00000000063A8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/868-2162-0x00000000059D0000-0x0000000005A1C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/868-2161-0x0000000005850000-0x000000000588C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/868-2160-0x00000000057F0000-0x0000000005802000-memory.dmp

        Filesize

        72KB

        Download

      • memory/868-2159-0x00000000058C0000-0x00000000059CA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4512-51-0x0000000000580000-0x00000000005AD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4512-29-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-22-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-33-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-49-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-47-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-45-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-43-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-41-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-39-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-37-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-35-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-31-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-19-0x0000000002180000-0x000000000219A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4512-27-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-25-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-23-0x00000000024D0000-0x00000000024E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4512-50-0x0000000000650000-0x0000000000750000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4512-20-0x0000000004C60000-0x0000000005204000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4512-52-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4512-55-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/4512-56-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4512-15-0x0000000000650000-0x0000000000750000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4512-16-0x0000000000580000-0x00000000005AD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4512-17-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4512-21-0x00000000024D0000-0x00000000024E8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4512-18-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/5012-64-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-96-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-94-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-92-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-90-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-88-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-86-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-84-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-82-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-76-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-74-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-72-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-78-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-63-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-66-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-62-0x0000000004B70000-0x0000000004BD6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5012-61-0x00000000022F0000-0x0000000002356000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5012-70-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-68-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-80-0x0000000004B70000-0x0000000004BCF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/5012-2143-0x0000000005420000-0x0000000005452000-memory.dmp

        Filesize

        200KB

        Download

      • memory/5148-2167-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

        Filesize

        184KB

        Download

      • memory/5148-2168-0x00000000053A0000-0x00000000053A6000-memory.dmp

        Filesize

        24KB

        Download