Overview

overview

10

Static

static

3

278cedba32...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 23:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    278cedba32644aa16f10a42093460ad5df552feae23ea2eb6548580c869338a2.exe

  • Size

    660KB

  • MD5

    f3e07125ed115439aa127dd72431dbab

  • SHA1

    84b7a3a5a9ca8debb3657adbf1a0719d73d85c44

  • SHA256

    278cedba32644aa16f10a42093460ad5df552feae23ea2eb6548580c869338a2

  • SHA512

    879faa8bef36f99188565123fbe658f6dad8a256589890354b2520458d07186256abec04f25a364de4ab7d3e9300600219b1052093ce37b42dc41c4ef960e3dd

  • SSDEEP

    12288:/MrPy902FFXz46XVfPTJyVpPES/+7XBk2g/laTlmTn7/tzAQNpvwvhVg+:0ylfsOpTJumi+F7g/lR7100pvwvhVg+

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\278cedba32644aa16f10a42093460ad5df552feae23ea2eb6548580c869338a2.exe
    "C:\Users\Admin\AppData\Local\Temp\278cedba32644aa16f10a42093460ad5df552feae23ea2eb6548580c869338a2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDM4689.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDM4689.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr058008.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr058008.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku829455.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku829455.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:6964
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1444
          4⤵
          • Program crash
          PID:6716
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr944682.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr944682.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:6592
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2348 -ip 2348
    1⤵
      PID:6804
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr944682.exe
      Filesize

      168KB

      MD5

      9bc12b5e02cb3b263635ee0eb2b702de

      SHA1

      a653cdc89d81a891064c87cefc8d48dbe2ee4bb8

      SHA256

      c2fcc3c0da96fe1b6c3f7cafa7e31f8e8f1d2c655f6cabe43b7bc8601e66a397

      SHA512

      b25167c011eae78d755d6a9f3c2171f9c3aa0c3275c5bcd15f65a7438be8eea906134bb986da32dc25649b46738c064746e5d05b6771265fd5fb021e80fde805

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDM4689.exe
      Filesize

      506KB

      MD5

      18dbba2d74c5afce783733d05c415395

      SHA1

      6288d5583a7c34055b18b7401daa2ade09b3d2bc

      SHA256

      3690dfd70ec9022df164f6fce5bfb36bd21d8f8f8b03d1814ddfc926ead09c19

      SHA512

      f5546994ce7d57447285c3870d95cf5bfe1c10defe8d4417ddc1f46de54c92698a7002e3f9e0761974972b772d8d5a670871f474090822e8c92d37a8a8f61a57

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr058008.exe
      Filesize

      15KB

      MD5

      1aeb8cdd6c149e36742d4057fbf4ada4

      SHA1

      ed20d6a7cce3114b192ccbf08ee4a0086a23fa4c

      SHA256

      9dce0908137b15913403f330a56c5142337cc568871573213573d28ed5ec86a4

      SHA512

      8919a64393849eb833ab52dae0578feeff637441d81ec65439d6e2060cb1a1f69663ce5d22c3e489055239349129d4b446d46e5c8cc8199e7a35ddeb21eebcb0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku829455.exe
      Filesize

      426KB

      MD5

      f8d96d51b3a2c58eb2a9d971f0037ad1

      SHA1

      6a0cb27ff9ead9e9ff5bbe36ac893140ad949169

      SHA256

      f6cbb72e282325e65d33b9dcefae425d571f57d19ebe74a5015f50fe5759248f

      SHA512

      687c6c61f05be51a1873590cb470a133ad30ef55694127a9db6b45f1fabbf87171bff76de899ad2dc344f8917e7a0739fec4c694fae5c2f8f7eb2a57b2d3640d

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/2056-14-0x00007FFCD3A53000-0x00007FFCD3A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2056-15-0x00000000004A0000-0x00000000004AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2348-53-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-45-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-23-0x00000000051E0000-0x0000000005246000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2348-64-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-85-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-83-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-81-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-79-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-77-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-75-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-73-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-71-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-69-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-67-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-65-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-61-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-59-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-57-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-55-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-21-0x0000000004B80000-0x0000000004BE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2348-51-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-49-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-47-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-22-0x0000000004BF0000-0x0000000005194000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2348-41-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-39-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-37-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-35-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-33-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-29-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-27-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-25-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-87-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-43-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-31-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-24-0x00000000051E0000-0x000000000523F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2348-2104-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/6592-2129-0x0000000004860000-0x0000000004866000-memory.dmp

      Filesize

      24KB

      Download

    • memory/6592-2128-0x0000000000180000-0x00000000001AE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/6964-2117-0x0000000000A40000-0x0000000000A70000-memory.dmp

      Filesize

      192KB

      Download

    • memory/6964-2118-0x0000000002C90000-0x0000000002C96000-memory.dmp

      Filesize

      24KB

      Download

    • memory/6964-2119-0x000000000ADC0000-0x000000000B3D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/6964-2120-0x000000000A8B0000-0x000000000A9BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/6964-2121-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/6964-2122-0x000000000A840000-0x000000000A87C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/6964-2123-0x0000000002C10000-0x0000000002C5C000-memory.dmp

      Filesize

      304KB

      Download