Overview

overview

10

Static

static

3

c5a13a79ba...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5a13a79baa8b98ab11e0ef6c33691733fd884e26587e48333137e4ba3b78faa.exe

  • Size

    651KB

  • MD5

    585fd23fea8b83c40dce7571ecfd0f8f

  • SHA1

    8bf0710bb708ac58ef2ca5ee0b4d2ccaf91f723b

  • SHA256

    c5a13a79baa8b98ab11e0ef6c33691733fd884e26587e48333137e4ba3b78faa

  • SHA512

    33097c242c18795d8f1a75145a2809e05a89da12fea3ab0599302f07984f490a534abe9fa64d5d5d37d163e5d6bf2a80823e1f841dd2fdcf9479428c19112a1e

  • SSDEEP

    12288:sMrby90kO2lTeNIAwHOrGuGToWI7Y3ApgGoqHr8vxcEXU6JbGN:nyyeK2dOHGMWZGJGx5k60N

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5a13a79baa8b98ab11e0ef6c33691733fd884e26587e48333137e4ba3b78faa.exe
    "C:\Users\Admin\AppData\Local\Temp\c5a13a79baa8b98ab11e0ef6c33691733fd884e26587e48333137e4ba3b78faa.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGS4755.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGS4755.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr415793.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr415793.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4888
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku526972.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku526972.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:376
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1512
          4⤵
          • Program crash
          PID:4184
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr479832.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr479832.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3892
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 376 -ip 376
    1⤵
      PID:4556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr479832.exe
      Filesize

      168KB

      MD5

      d97a8410207c68e9f57056a90f865324

      SHA1

      833d9d279ea2c12d7389080b653b5b6694bd83e3

      SHA256

      9aeab388339a58a7dadf1fe501062ce2c2c187d835eeebf2c2fb3683d4bba9a0

      SHA512

      08b79e9211a4ff9dc8f0cde1fcaa63cc9f86c3e2be6b1ba5980a0730aae89aacf28cf614715654cbfb51cb527ac1c3c0981b3bb1b53c9d8e58f580dbd0529c6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGS4755.exe
      Filesize

      497KB

      MD5

      7aeef699ae2e25f73e6866d67574e97f

      SHA1

      3b856599cc7eb88c9b1499bf4453028fad7a3890

      SHA256

      5cf94896fd366fa9ce5df7b09b6b621de00a49416f60c39de1606ec1cc4fa112

      SHA512

      5e4a272aabeda0fba3c8a746c50cd1c5b71545f5757f9b7e52fb83b446a52819ff1e286eca91993e603d3f39dbd49f077d2b0633051971d4ccff844fbd47b226

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr415793.exe
      Filesize

      11KB

      MD5

      69ad867775a6a8ab7e6d8f23a9272752

      SHA1

      fcbf04c68d445e51b3e4b4dc1e9ac941c405f0c4

      SHA256

      618a768268787cd4acd54ed9047d14f042ca66d1ee6b631fecd3776560d51aa0

      SHA512

      d39b0b56faf4dbdfe5082f91818aae45cabef3c774f334823099cd31fca00a3a2c0d9d4f853dce7af7d723046f88d049041a720eb4f7f4b039a8d2b2c370e6c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku526972.exe
      Filesize

      415KB

      MD5

      5458a426bef9c7ec2ba92aaeeed01893

      SHA1

      a86e34684abbfcfe615ef5893a4986034a7af918

      SHA256

      63e1e2be73887760b1915e4f82fd2868c911263f937855256b6acfbe098554ca

      SHA512

      a1e1cebf6d603853b26e91b3de24bd2149eb2c4dc17e4cb832be3db1c69892a04a49b67698f63d370a31b0f84ae9e2a766285ce283209c5ddcbcafc33f34576b

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/376-52-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-84-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-24-0x0000000005310000-0x0000000005376000-memory.dmp

      Filesize

      408KB

      Download

    • memory/376-30-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-46-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-88-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-40-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-83-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-80-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-78-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-76-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-38-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-72-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-70-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-68-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-66-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-64-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-60-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-58-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-56-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-42-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-22-0x0000000004CB0000-0x0000000004D16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/376-50-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-44-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-54-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-23-0x0000000004D20000-0x00000000052C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/376-74-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-36-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-34-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-32-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-28-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-86-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-62-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-48-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-26-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-25-0x0000000005310000-0x000000000536F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/376-2105-0x0000000005540000-0x0000000005572000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3892-2129-0x00000000000E0000-0x000000000010E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3892-2130-0x0000000000810000-0x0000000000816000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4888-14-0x00007FFCC6A43000-0x00007FFCC6A45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4888-15-0x00000000000B0000-0x00000000000BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4888-16-0x00007FFCC6A43000-0x00007FFCC6A45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5492-2118-0x00000000006D0000-0x0000000000700000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5492-2119-0x0000000002960000-0x0000000002966000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5492-2120-0x0000000005650000-0x0000000005C68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5492-2121-0x0000000005140000-0x000000000524A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5492-2122-0x0000000005050000-0x0000000005062000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5492-2123-0x00000000050B0000-0x00000000050EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5492-2124-0x0000000005250000-0x000000000529C000-memory.dmp

      Filesize

      304KB

      Download