Overview

overview

10

Static

static

3

f8084f298f...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8084f298fb23f089567ab0ac657e4b91a4e6d3a0853f20270ea697a95a29ef6.exe

  • Size

    684KB

  • MD5

    a0ffe07063817b2308b7665c00b16881

  • SHA1

    3b69d1efacab031f8c04cadcc28c11f4d93555ce

  • SHA256

    f8084f298fb23f089567ab0ac657e4b91a4e6d3a0853f20270ea697a95a29ef6

  • SHA512

    67eaedcd6421441314efd8ef1ff6c907529674ed2f1264454e7db6539a4be3e7a034f9053e6c81abc8775ed30f825eb734e3bb3fad565ae90994ee000b07880e

  • SSDEEP

    12288:lMray90MwNsTyr4UK7Uc8j31wcw/l5+9G54AIqwbyiDQNp6xXNkMcP0BEK3:vyBwNsJUeUN3pwYsGvDeKqMY0Bp

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8084f298fb23f089567ab0ac657e4b91a4e6d3a0853f20270ea697a95a29ef6.exe
    "C:\Users\Admin\AppData\Local\Temp\f8084f298fb23f089567ab0ac657e4b91a4e6d3a0853f20270ea697a95a29ef6.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHJ7211.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHJ7211.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr610293.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr610293.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2244
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku342282.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku342282.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2296
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1380
          4⤵
          • Program crash
          PID:4332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr740517.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr740517.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3876 -ip 3876
    1⤵
      PID:3640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr740517.exe
      Filesize

      169KB

      MD5

      f67e1e4d037008980b8bcf3071aa3fd9

      SHA1

      b4352238113e42651ed33b8ff166bd9c6fd0db69

      SHA256

      f04c6182621ae895d3c7fdae8e6b8524d4b42f378b24233571ec06cf54b6ef60

      SHA512

      72628e4ffaf77080338dbcce5d05e2ce629bb847df58dd522fa0d92b00ca146c26530d0cbfc6f67ac28588f55027c624579f23a6f548f3ae4597d57e726f54d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHJ7211.exe
      Filesize

      530KB

      MD5

      ca3546b7b1331ab1889c36699e6c6da4

      SHA1

      839c0893f716646e4691fe21cf9f3ea8a4396d92

      SHA256

      1361d8de18b50b34135df85933107778cdfefd01fde2f20648cf6d15f673921c

      SHA512

      f1c4693441cf635041174b7b351028e2da7b2e6e4d1e347ec7c29bfc685889b0383780b504857bd6e28711450bdab6c6d4fc434b93faa7586c2d8cb15708be85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr610293.exe
      Filesize

      12KB

      MD5

      d90c7807643ba6989f87d515ba9726b8

      SHA1

      a07c8b50187da002ecf69e7fee33f367602e205f

      SHA256

      70ae1cb9d92aee1727ab84110ee9e4dcac538bd1fbc2423b890074492d6b4a39

      SHA512

      dbee26964e1c2f709ebdb5fd67f715572140a1775c09d4baca5aee8c43ba7534480888c63e6a4aeaa59a085b1eab83b739926c2d9d3d46b77535ef534ce28071

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku342282.exe
      Filesize

      495KB

      MD5

      57696bd2bc07ee1c4439860988285912

      SHA1

      b644977e9365ba8d256fd66818efff93224a7103

      SHA256

      5e0b586673e5c8e26ca903f6ab5018c99295f421ef2348f43310f9f1c0bd7050

      SHA512

      139c85a0f84f3c1e9a30bfd9f25a7c55b3fdb9681cab3cf0eeb5c9f5bdb98b336a260f4203fdf9a9ff8a34d2ba085176c23205f58eb342a8f1d8fdb84b9482dc

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/2244-16-0x00007FFCCB353000-0x00007FFCCB355000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2244-15-0x0000000000850000-0x000000000085A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2244-14-0x00007FFCCB353000-0x00007FFCCB355000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2296-2118-0x0000000000550000-0x0000000000580000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2296-2119-0x00000000026A0000-0x00000000026A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2296-2120-0x000000000A8C0000-0x000000000AED8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2296-2124-0x0000000002620000-0x000000000266C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2296-2123-0x000000000A350000-0x000000000A38C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2296-2122-0x000000000A2F0000-0x000000000A302000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2296-2121-0x000000000A3C0000-0x000000000A4CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3876-62-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-42-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-84-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-82-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-80-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-76-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-74-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-70-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-68-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-66-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-64-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-88-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-60-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-58-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-54-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-52-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-50-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-48-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-46-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-87-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-40-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-38-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-36-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-34-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-30-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-28-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-78-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-44-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-72-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-56-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-24-0x0000000005530000-0x0000000005596000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3876-23-0x0000000004F80000-0x0000000005524000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3876-22-0x00000000028D0000-0x0000000002936000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3876-32-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-26-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-25-0x0000000005530000-0x000000000558F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3876-2105-0x0000000005750000-0x0000000005782000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5436-2129-0x0000000000BF0000-0x0000000000C1E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5436-2130-0x0000000005390000-0x0000000005396000-memory.dmp

      Filesize

      24KB

      Download