Overview

overview

10

Static

static

3

a56cd0d848...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a56cd0d8485df2f5277e1497db2b707db7373a90bb6b071ef93d6770ea981bbb.exe

  • Size

    661KB

  • MD5

    886b956f48f7fa103ff866aff8204ed5

  • SHA1

    a33edceb00879c55af5ba2e58f442b639057bf78

  • SHA256

    a56cd0d8485df2f5277e1497db2b707db7373a90bb6b071ef93d6770ea981bbb

  • SHA512

    be1a6371ed090d86b9e1169bb40fdfb789df5544b5e169ce976f108337cd725365bd1eb99a1a20e616e61e861e1e668e72ff6b41afe52eb7368a0da631cbf03c

  • SSDEEP

    12288:nMr6y90T/bO4gbHMlrlBP3cY4IWpihJZKUgih3tJRHjyBUK:RyP+lrlB0Y4Ivv1dWBh

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a56cd0d8485df2f5277e1497db2b707db7373a90bb6b071ef93d6770ea981bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\a56cd0d8485df2f5277e1497db2b707db7373a90bb6b071ef93d6770ea981bbb.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigQ0538.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigQ0538.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr373955.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr373955.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku276712.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku276712.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1388
          4⤵
          • Program crash
          PID:1808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr455625.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr455625.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4572
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4232 -ip 4232
    1⤵
      PID:4044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr455625.exe
      Filesize

      168KB

      MD5

      75276525461a25c8f2f635bc99ab490c

      SHA1

      2c831e9d916798b455f6449d73a7952c1eb4d7f3

      SHA256

      a2c11e59c28425ea352e1b2f5452d837bc284054a9da647dda6afde344dde9d3

      SHA512

      9e81ccc59403158bbe779d0fdd4234b40fcb105097427b430ea0edbc24abeda87adf6a13b8f4b85c0b7301d8a1e3bbdee794d55ddee1c3b9aaacdd8dcb137d65

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigQ0538.exe
      Filesize

      507KB

      MD5

      3ca92735341c0cf4a16ef399ce1bf893

      SHA1

      b115e9f514e9d0ee1394b095d0a717e23de5def8

      SHA256

      846414d688004ffdef92747d91612c06a93087f8d05f0775ba8a86d34b900195

      SHA512

      6d713533fa4bbb60721f7e90377b9699a0e1ac9f44bd00e690c8ab1c2776774a4c593c0e98def015b11780af245d83ba315311e47e451f4b3399ea4f3e8d8ce8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr373955.exe
      Filesize

      15KB

      MD5

      4ed1da36d3392959a0d3aff55b864280

      SHA1

      39cc721cae406bb2555e48f2096274bea5e36bfa

      SHA256

      4fd8e9f9c514bc608e600f9928cb2e0e2127c50602254ddbe232824c4ca12972

      SHA512

      9ef6dd0be777b08e2166f4a86a1c2781756d7ce1a8fca0e7decddf4b5f3f07e71b6b4ba3b84da33acce8686f68c0ad6f7a4c6344f013126235725e1a9558c087

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku276712.exe
      Filesize

      426KB

      MD5

      167b2b557b410ddd7285e8347c8cd3e0

      SHA1

      cd8e87545260a31fb34ff25df3b793a6b1a629f0

      SHA256

      d5ae0dacb583b3c57ef9c2a0185884cb2b7a34a9c62a79ad226873af82350667

      SHA512

      3e07b106d342a2f12764d0ff189823f35e390b7e07aaf03892dcb51d99230da5bb4102ef57fbf62a27ff04b2aa69b40d0c5dca12757bbcffd28281418b75694e

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/2380-2118-0x0000000000410000-0x0000000000440000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2380-2124-0x0000000004E40000-0x0000000004E8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2380-2123-0x0000000004DF0000-0x0000000004E2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2380-2122-0x0000000004D80000-0x0000000004D92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2380-2121-0x0000000004F00000-0x000000000500A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2380-2120-0x0000000005410000-0x0000000005A28000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2380-2119-0x0000000000B40000-0x0000000000B46000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4232-54-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-38-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-80-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-78-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-76-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-74-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-72-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-70-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-68-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-64-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-62-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-60-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-59-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-56-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-84-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-52-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-50-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-48-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-46-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-44-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-42-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-82-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-36-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-34-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-30-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-28-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-26-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-66-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-86-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-88-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-40-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-32-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-24-0x00000000051D0000-0x0000000005236000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4232-23-0x0000000004C20000-0x00000000051C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4232-22-0x00000000023F0000-0x0000000002456000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4232-25-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-2105-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4536-14-0x00000000008F0000-0x00000000008FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4536-15-0x00007FFB5D380000-0x00007FFB5D521000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4536-17-0x00007FFB5D380000-0x00007FFB5D521000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4572-2129-0x0000000000C30000-0x0000000000C5E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4572-2130-0x0000000002D10000-0x0000000002D16000-memory.dmp

      Filesize

      24KB

      Download