Overview

overview

10

Static

static

3

05f0b1d5e8...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05f0b1d5e8131597c59a0bdf61ca0b065e02c1fc64534b0c9eb0e32ea3345bfc.exe

  • Size

    653KB

  • MD5

    ecac7f86b550d240a91daf4c67060a32

  • SHA1

    499e989b1b5266d4df3dd995b06dce7ce2a9e04c

  • SHA256

    05f0b1d5e8131597c59a0bdf61ca0b065e02c1fc64534b0c9eb0e32ea3345bfc

  • SHA512

    e70eb120155df08d3916257faec26140f0684de45a2a00e08cc32c12b153fdac9d640f70c0302a7c49dbe3f18ca282ff66a72993d938452618e3f20e3b29dc4e

  • SSDEEP

    12288:sMr7y90q9HB3Pnr8PlCProSTSt8DiTr68POtEV+HWZDfZM:3y3NYYPrAPwrWVS

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05f0b1d5e8131597c59a0bdf61ca0b065e02c1fc64534b0c9eb0e32ea3345bfc.exe
    "C:\Users\Admin\AppData\Local\Temp\05f0b1d5e8131597c59a0bdf61ca0b065e02c1fc64534b0c9eb0e32ea3345bfc.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitn2501.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitn2501.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905466.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905466.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku142607.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku142607.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3888
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1376
          4⤵
          • Program crash
          PID:6132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr075888.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr075888.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1252
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3496 -ip 3496
    1⤵
      PID:1520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr075888.exe
      Filesize

      169KB

      MD5

      4b2f2b25bb3e6dc1cc2439bda1ea168f

      SHA1

      e8cddd2350f5a1089ec89702c8fadb1b2fa48c92

      SHA256

      af1e9d438d39c474132cb351c2e6bef587b1e8e1d432bfcb295d91f643c7fb8c

      SHA512

      daaf4b4b03a89812f0b6bc60c62df9908adcfbf0d8acbc0626a1f5c2b13c3024321df0f86c7bb25afea2e26a3e58435fc98d526b01d8730f7f9ce1be4c56eaf2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitn2501.exe
      Filesize

      498KB

      MD5

      098a55a00ce196413e8d4e9cd21bf282

      SHA1

      17632a92e17233beaabcf54951bed611b1c09366

      SHA256

      7d48407ed6a40f86a9dcd8b328d152d2a2f5a89585132ea05ee66bbf1f3968eb

      SHA512

      92bd0df5f0fd4dd58c2a68aa8e5e2ca68dcface3c386c658a84c39522a243cd4bcd233b85443b39c7c49974b6f7ae11e904ccf7ad847a8db1eb3f1f3280f3db1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905466.exe
      Filesize

      12KB

      MD5

      90e638b70c9ef7058d96f81c6b31a958

      SHA1

      1b2379495c39301447e153c32eeefc7838221fb2

      SHA256

      b2be0a427d8ecf51104b2b8efb480e694b06d5cc9a78aa31cc4d946535e82573

      SHA512

      9d5274afb8efb36e8947a71796c2d3cc48f26d27601c66fcd3f82fcca4e78b676b5670b10f31830efd8b0fbc850834ca0e392b3c1a6105ad6a20b7fb02848d27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku142607.exe
      Filesize

      417KB

      MD5

      c50dd5ddf5fbcf40873da8a1f8c8f371

      SHA1

      081717d46e1b22571afb987e27e0bed0587f8912

      SHA256

      95b494d9c9d318fa0070e4d01582173144a8539d5fc66e6570e640830d2a06c3

      SHA512

      eac8943592822bd4603e0bded0575292327cfb198e03d682ce8367bc531ee470fcaf14b3d61c5175b77a704bc03883dd800d26f0a599851afd07b80f353611cf

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1252-2129-0x00000000006B0000-0x00000000006DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1252-2130-0x0000000002840000-0x0000000002846000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2512-14-0x00007FFD21973000-0x00007FFD21975000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2512-15-0x0000000000B00000-0x0000000000B0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2512-16-0x00007FFD21973000-0x00007FFD21975000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3496-60-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-46-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-24-0x00000000023B0000-0x0000000002416000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3496-48-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-58-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-88-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-86-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-84-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-80-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-78-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-76-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-74-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-72-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-70-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-68-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-64-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-22-0x0000000004D40000-0x0000000004DA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3496-56-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-54-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-52-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-50-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-23-0x0000000004DD0000-0x0000000005374000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3496-44-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-40-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-38-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-36-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-34-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-30-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-28-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-82-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-66-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-62-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-42-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-32-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-26-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-25-0x00000000023B0000-0x000000000240F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3496-2105-0x0000000005530000-0x0000000005562000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3888-2118-0x0000000000930000-0x0000000000960000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3888-2119-0x0000000001110000-0x0000000001116000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3888-2120-0x0000000005960000-0x0000000005F78000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3888-2121-0x0000000005450000-0x000000000555A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3888-2122-0x00000000051A0000-0x00000000051B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3888-2123-0x00000000051C0000-0x00000000051FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3888-2124-0x0000000005350000-0x000000000539C000-memory.dmp

      Filesize

      304KB

      Download