Overview

overview

10

Static

static

3

6690f19f16...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6690f19f1640a6882443ef78298df996aed675a84f549976d462a8fa3204fe5f.exe

  • Size

    661KB

  • MD5

    f20a27fdef19af0583d1bd6a1909d1a7

  • SHA1

    98b857c8b039ffbf5f613542faaee92349b6f1ce

  • SHA256

    6690f19f1640a6882443ef78298df996aed675a84f549976d462a8fa3204fe5f

  • SHA512

    0a0877a687a314f00e8aa1737e9e8177a3870ba29a702b0c906439647d1fa7d9e8744db73a1e013d2814a6f7aecb827dd14dba5d78bef6e39907e3cd652e7f3b

  • SSDEEP

    12288:UMrty90hPW/oB1uG9Ihdkawj+xuPSQ/h/cqp9IFbiSVAM5VGmv3XQ:hyO/uz2j+xuPSQ5Ybi2tG0Q

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6690f19f1640a6882443ef78298df996aed675a84f549976d462a8fa3204fe5f.exe
    "C:\Users\Admin\AppData\Local\Temp\6690f19f1640a6882443ef78298df996aed675a84f549976d462a8fa3204fe5f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirr8381.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirr8381.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875962.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875962.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku083115.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku083115.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1900
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1376
          4⤵
          • Program crash
          PID:3780
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr944235.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr944235.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4464
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1516 -ip 1516
    1⤵
      PID:1756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr944235.exe
      Filesize

      168KB

      MD5

      c8b13f69c22cc33d3307313e21ddfd44

      SHA1

      2a201bfb4f6dcc1549c561262e5d47773533bbc0

      SHA256

      c22493cd6e030391a79686d3634423b17841ff91c4be231f8a02f1dba94f2e52

      SHA512

      c1e6f443717f0a6f9e1ff7e5bd56086f482fc82b7113c0e7c06c82e098b0abf3765abf7ad7819467e691b70546358d52fcadd37e4e48113e55fe55e21ac44384

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirr8381.exe
      Filesize

      507KB

      MD5

      bf42c873e24e312b2f7fd5de9ca9be32

      SHA1

      1097a3d0444c18fa0f30c29136a4760975dabddc

      SHA256

      f9879afa16ae98febde6782827a14d52ddf4182ec07a86e6a60ddef49f4c6737

      SHA512

      041726f03172a19c48909deeaf127774a1cd24e0aba8f3e3cfac6b42763f738b1ad405a9e20dc7d453648eec1d5acec32e118744ca27642b5a4fc51898404556

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875962.exe
      Filesize

      14KB

      MD5

      9bd8196375d6f5b9109abf7b3db6e6f8

      SHA1

      d88a50024adfb5100a61f43994d99e452161494d

      SHA256

      02dc8876059f8542d9ebabc73fd7b68073bb8cf20ca7d5f7f9a9d62a60a7b272

      SHA512

      cbe038256ae6c595ed2da064f72f727e1d971eafb7e0da02805c6c03e7d3b19e0367d763f4916d3eef473d4472e273dcc50411eeb6fc09412667c39a14f4a002

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku083115.exe
      Filesize

      426KB

      MD5

      cc65ed0287bba8c5d7660e385f2366bb

      SHA1

      348c5225364a8f1510e25c873a08347af8df6ba4

      SHA256

      81d64ef2fdbdcd31b2ea97d5fddf013197de9c615bee97c7a02f30f1a06d7cad

      SHA512

      14a60bf78ee26b0c59fceb5fadc4cc0224314c6e04ed0014572752277a0c5faa1d81c9dd73eafbcae65d01533b884c6e02931b0e43ec1606fb1b8dc06187caa9

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1516-58-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-48-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-24-0x0000000005320000-0x0000000005386000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1516-52-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-54-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-50-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-42-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-86-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-84-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-82-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-80-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-40-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-76-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-74-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-72-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-70-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-68-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-67-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-64-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-62-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-44-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-22-0x0000000004D00000-0x0000000004D66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1516-57-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-46-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-60-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-23-0x0000000004D70000-0x0000000005314000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1516-78-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-36-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-34-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-88-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-38-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-32-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-30-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-28-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-26-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-25-0x0000000005320000-0x000000000537F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1516-2105-0x0000000005540000-0x0000000005572000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1900-2118-0x0000000000980000-0x00000000009B0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1900-2119-0x0000000005160000-0x0000000005166000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1900-2120-0x0000000005900000-0x0000000005F18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1900-2121-0x00000000053F0000-0x00000000054FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1900-2122-0x0000000005300000-0x0000000005312000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1900-2123-0x0000000005360000-0x000000000539C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1900-2124-0x0000000005500000-0x000000000554C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3032-14-0x00007FFF96863000-0x00007FFF96865000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3032-15-0x0000000000670000-0x000000000067A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3032-16-0x00007FFF96863000-0x00007FFF96865000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4464-2129-0x00000000005E0000-0x000000000060E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4464-2130-0x0000000000C80000-0x0000000000C86000-memory.dmp

      Filesize

      24KB

      Download