Overview

overview

10

Static

static

3

c402db00ac...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c402db00ac998d458e8f9fdb41f68e8b408f08e6cfec774fef47472f208c6ab6.exe

  • Size

    661KB

  • MD5

    b7bbf63ea9f9ce62c6c46d6910dce749

  • SHA1

    10e0eb666b67e54d169ea276031401a77d73c382

  • SHA256

    c402db00ac998d458e8f9fdb41f68e8b408f08e6cfec774fef47472f208c6ab6

  • SHA512

    6b22a21ad2feae14976fc6a4b8f403965ebe8a3f45a8a0d13d92f01b555780a437a0e378e2d2da15fa5b257ea13026d4fa0af9d7e1499c2b6ad4f4e259de46ff

  • SSDEEP

    12288:SMrsy90WFh+HX6yMCsXibI8j6c61f6JHlSxhlu4I4piPJBaOF/SHpg:KytFgCObI8ju1SJHlSlu4I7BRhYpg

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c402db00ac998d458e8f9fdb41f68e8b408f08e6cfec774fef47472f208c6ab6.exe
    "C:\Users\Admin\AppData\Local\Temp\c402db00ac998d458e8f9fdb41f68e8b408f08e6cfec774fef47472f208c6ab6.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHl2002.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHl2002.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr517871.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr517871.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku741136.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku741136.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1464
          4⤵
          • Program crash
          PID:5228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr321829.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr321829.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5352
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2360 -ip 2360
    1⤵
      PID:2264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr321829.exe
      Filesize

      168KB

      MD5

      4bee12b23da12c06eb82a30af209ce9d

      SHA1

      502c5bad927d05be643974b8aef7460759f61214

      SHA256

      3ab7f8fd90f7f0a3488d185628753a34e7a18291d700d4379d48bf1eea176bba

      SHA512

      3d44894c6c6a971030821453bbb511c70b9f185ee5f62c4388f2f81614fa46c5f954934f6cf009623dd8e129e9316ed6a8ddec9fc926f9791e2e49460bf80818

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHl2002.exe
      Filesize

      507KB

      MD5

      3bbf81b26f390464871e27baff640f17

      SHA1

      f0c170bf271ad190076657a33dfbee4dcc01553e

      SHA256

      ae8efc7df41020098a824b3b3091110df0538634670925ea9d82fde14bbcf244

      SHA512

      4948ab86f742624e6b591111ca40697e6a3f04fd66a043591de6f6bc5375c30eba7d3c79590bcf6e6714fcd33a18d3230a5185f4e2936beb75873082ee00fc64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr517871.exe
      Filesize

      15KB

      MD5

      78d270d5ef40646b754c122fd5b22496

      SHA1

      1f7d1ec825d1daa2e31385d522cb09f4ebbccb21

      SHA256

      57c4a7ad711e865756ce9ed72ffcb59c7dd7d7dd9d8f01636ed222f29d874eaf

      SHA512

      b42def7e9c7e0f1c0c52f6efd7627189b96a74b91c772df09e5a761454ed5c87410bc122ffd3a13ecb023f1b07c0815406f3b4ede03919783ee9e0931e8b1b1f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku741136.exe
      Filesize

      426KB

      MD5

      67f3cd0d976d8e1420d20c73ef979d1c

      SHA1

      7f13a8bba10e6734422a611e82e3ca92542ae594

      SHA256

      8319af1f68d74be85d51376249716791de81ec313a6da3d10bff90e4edf33acf

      SHA512

      bbc86e84655c8bb63dc5f43a18ce664ccaae4e74bf16da19e3813a74d3de0a6bd76d378025f8a0a5035ae661a2a05cb7e40057dc40465ad6ad683c33aa9e0c6e

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/640-16-0x00007FFBB4A53000-0x00007FFBB4A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/640-15-0x00000000001C0000-0x00000000001CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/640-14-0x00007FFBB4A53000-0x00007FFBB4A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/960-2118-0x0000000000660000-0x0000000000690000-memory.dmp

      Filesize

      192KB

      Download

    • memory/960-2119-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/960-2120-0x0000000005600000-0x0000000005C18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/960-2124-0x0000000005090000-0x00000000050DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/960-2123-0x0000000005040000-0x000000000507C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/960-2122-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-2121-0x00000000050F0000-0x00000000051FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2360-60-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-38-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-84-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-82-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-80-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-76-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-75-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-72-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-70-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-68-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-64-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-88-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-58-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-56-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-52-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-50-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-46-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-44-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-40-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-86-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-34-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-66-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-62-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-54-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-48-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-42-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-36-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-30-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-78-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-32-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-24-0x0000000002810000-0x0000000002876000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2360-23-0x0000000004E00000-0x00000000053A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2360-22-0x0000000002240000-0x00000000022A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2360-28-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-26-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-25-0x0000000002810000-0x000000000286F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/2360-2105-0x0000000005540000-0x0000000005572000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5352-2129-0x00000000002B0000-0x00000000002DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5352-2130-0x0000000004AD0000-0x0000000004AD6000-memory.dmp

      Filesize

      24KB

      Download