Overview

overview

10

Static

static

3

9d8bcd3c15...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d8bcd3c15fe5edb45129ce5a8d477e5dd0a50229e4f245ef825b94f6bec2876.exe

  • Size

    684KB

  • MD5

    14de8a9ddd528ada610c116dffe08c05

  • SHA1

    dd52994aae458e836523866b946bc8db85547437

  • SHA256

    9d8bcd3c15fe5edb45129ce5a8d477e5dd0a50229e4f245ef825b94f6bec2876

  • SHA512

    f2dba9fcc9648e5fed0c9af965c1ad7d6e35453ef014cb0b263ced9ceff7ae19b1db6679ffbc208adc776c6232f95c019f31d6acb09b772fab66941128ab4271

  • SSDEEP

    12288:8MrKy9068+JU02yiAvPW/fqwizcFrhLFLb73CMiZGXSLOSrW14Iiks7flm:uyFU02CPEfqeJLvCtGru64Fks7fU

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d8bcd3c15fe5edb45129ce5a8d477e5dd0a50229e4f245ef825b94f6bec2876.exe
    "C:\Users\Admin\AppData\Local\Temp\9d8bcd3c15fe5edb45129ce5a8d477e5dd0a50229e4f245ef825b94f6bec2876.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifZ1930.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifZ1930.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473800.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473800.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1832
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku173457.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku173457.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 1524
          4⤵
          • Program crash
          PID:5592
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr545453.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr545453.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5392
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2476 -ip 2476
    1⤵
      PID:4876
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:5816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr545453.exe
      Filesize

      169KB

      MD5

      bee9712d36f566675220129f88138bda

      SHA1

      1ac41eed4af8a99e8b8f8bd27315f4825e4b60c6

      SHA256

      d54380745e12fc300da88a6058ce63a20e31e805c2c4f3160f492ef60790353c

      SHA512

      5f0c0a43e83723fab64112432c98546bcc687273c459c17eb2c4d35d5fc01c7751ea355d38172c2653fb88b84caa66d4e1a9b20dea9518c71281f4ce4e27e49b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifZ1930.exe
      Filesize

      530KB

      MD5

      6d676bf83f489a10e8b0f8fe5ced52f0

      SHA1

      471a664cd448b347a6a33d0dec80f90562ef3ad6

      SHA256

      1758a0855ea94f40c8156765e1d3a0ba2a05c6cde784c6191f9a1f27e7b290c2

      SHA512

      15744673ffb2a5c56463a3d01c3060f0929efe46fc6d27e21865894f4f1373700091a595ee138b8459f63e4dc4a4a4ab21bb26e56418d63facde1ba02d2c2cd2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473800.exe
      Filesize

      12KB

      MD5

      72fec9892265ce42c5d3f3535e9e05a9

      SHA1

      a6a0b65a9954e41ee8d93a1e18837ef8b1f96a8a

      SHA256

      3386ff06115cf495560316947b7b265a887154d1412e1c7763b4e2d362fceb32

      SHA512

      d4b9961435c94023991bac36f274589dfb64fa6ed6aa6a43d3352fa36e51a1ba38629318767dc3df31cb4abcd79a3287e9ababbd07131600b5595d9ee71549ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku173457.exe
      Filesize

      495KB

      MD5

      05ad58fc67c53c22df21367dd66c3880

      SHA1

      cba1f47a731d75f5f567897a80e68e44c73b2afb

      SHA256

      f33fceea35b069c552e96b9b4b6e93fbdc4ff5fd7ac9fc8eaba878f2d93b07f6

      SHA512

      9d73a9946e2e59980a27e03105441a75f0804a6a411286533afd7223840a858a454996b0924a657ef83b06e44dd58c986d166459fbbdb9e47292cbcbc7f61742

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1832-14-0x00007FF94BA63000-0x00007FF94BA65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1832-15-0x00000000001E0000-0x00000000001EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1832-16-0x00007FF94BA63000-0x00007FF94BA65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2476-22-0x00000000026E0000-0x0000000002746000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2476-23-0x0000000005180000-0x0000000005724000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2476-24-0x0000000002B90000-0x0000000002BF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2476-44-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-42-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-88-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-86-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-84-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-82-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-80-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-76-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-74-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-72-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-70-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-69-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-66-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-64-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-63-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-60-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-58-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-56-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-54-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-52-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-50-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-48-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-46-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-40-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-38-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-36-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-34-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-32-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-30-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-28-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-78-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-26-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-25-0x0000000002B90000-0x0000000002BEF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2476-2105-0x0000000002BF0000-0x0000000002C22000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4836-2118-0x0000000000900000-0x0000000000930000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4836-2119-0x00000000013C0000-0x00000000013C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4836-2120-0x00000000059A0000-0x0000000005FB8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4836-2121-0x0000000005490000-0x000000000559A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4836-2122-0x0000000002C30000-0x0000000002C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4836-2123-0x0000000005300000-0x000000000533C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4836-2124-0x0000000005380000-0x00000000053CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5392-2129-0x0000000000010000-0x000000000003E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5392-2130-0x0000000006CC0000-0x0000000006CC6000-memory.dmp

      Filesize

      24KB

      Download