Overview

overview

10

Static

static

3

3970d830c6...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3970d830c60d06255b3a7a0580f18a0f6c85c12874829dc24c686996b294475f.exe

  • Size

    650KB

  • MD5

    3f1c0a4f3be23aa4e95025ad3cca0a83

  • SHA1

    3ce9704f135bd2abef5b334580a5006c8f0b1adb

  • SHA256

    3970d830c60d06255b3a7a0580f18a0f6c85c12874829dc24c686996b294475f

  • SHA512

    4018d68eea1e2d8400361493e21f8f5799ad198b1fb8f40bafd9bc08af8ae11e3ff7de87bbfba6da1115f3ce7685e2c54b841b59bd5d32ef1912e912702fd995

  • SSDEEP

    12288:/Mruy90COcq6aLKb9nVppEqE+YP7d07ZDmtZBlEv8Q4sJtkm:hynCL2EqE+YPSxmvsUfsrkm

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3970d830c60d06255b3a7a0580f18a0f6c85c12874829dc24c686996b294475f.exe
    "C:\Users\Admin\AppData\Local\Temp\3970d830c60d06255b3a7a0580f18a0f6c85c12874829dc24c686996b294475f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizV8803.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizV8803.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr100538.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr100538.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku125119.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku125119.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5316
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1380
          4⤵
          • Program crash
          PID:6136
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr834790.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr834790.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2292
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1308 -ip 1308
    1⤵
      PID:5900
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:2952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr834790.exe
      Filesize

      168KB

      MD5

      7d70ea85bf144baf0a60ed85240b7177

      SHA1

      a885c342fb858acbc96bd9569cf5c1aac3860163

      SHA256

      2fb69b683805ca3757face7338abb2269818bb36b91454a72b2bef55ab598b1d

      SHA512

      092518f3faccae1afa95eafce7879bca36156aba4447f0c05830183056c237f79cb3706671f4b36562ecc287e51c954d8efce645db53bcaae6e9f0ef1d3b10b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizV8803.exe
      Filesize

      496KB

      MD5

      186531f39047b233177458a75ba7f0da

      SHA1

      27face9d8c164c44c9cff842d15715608ea8d146

      SHA256

      b215b555b14c46b491e850178a349150e3ba2db6f73c98a92a44f0fe04d5ab59

      SHA512

      bd31359b7a7ee80a974191d56ddaa46989cab0dc32a91e51b50464ba1092ab121cb50b5caa784ed683811d57694f9014cffcb161e5944d7fa9e5d9518caf7bb9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr100538.exe
      Filesize

      11KB

      MD5

      f53dad119013acb06f4fd3e93a724065

      SHA1

      f22fa1aacedb1d95a7c56b4d570b3a7a88b9f1bf

      SHA256

      4da084c70aac2e578fa72442175d8bcfe21e1fc04446922958c809fd783de34b

      SHA512

      f1b3e9229265d5b0383474a1e2d07c3caee0644ed2e7c44e97637b5a4f4313dd919a175d64b5855a0fb9785f35c68ec610295168250045b6427d45670aee0225

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku125119.exe
      Filesize

      414KB

      MD5

      25914ea6d815cba0994413bad6239d5f

      SHA1

      b293b82434447ada3ea556a4b6a7cca5aeb1bda3

      SHA256

      bb82f2df76f44af1c7e0d8b7d0e26bb380d78548d2c694f9c869afa68e45bf25

      SHA512

      73ed3cb56be9e3f39a98d870ca616dd824a970c5a89d62ea1e953d420bbedb63ebc4fc46fc5214bf728d47f254676292313f16a50c47920272f2c925993e0262

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1308-54-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-58-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-24-0x0000000004BB0000-0x0000000004C16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1308-28-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-38-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-88-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-86-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-84-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-82-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-80-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-78-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-76-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-72-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-70-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-69-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-66-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-64-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-62-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-60-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-42-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-56-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-22-0x0000000004C20000-0x0000000004C86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1308-52-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-48-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-23-0x0000000004C90000-0x0000000005234000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1308-44-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-46-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-40-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-36-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-34-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-32-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-30-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-74-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-50-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-26-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-25-0x0000000004BB0000-0x0000000004C0F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1308-2105-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2240-14-0x00007FFD35843000-0x00007FFD35845000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2240-15-0x0000000000170000-0x000000000017A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2240-16-0x00007FFD35843000-0x00007FFD35845000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2292-2130-0x0000000003040000-0x0000000003046000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2292-2129-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5316-2118-0x0000000000F50000-0x0000000000F80000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5316-2119-0x0000000005730000-0x0000000005736000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5316-2120-0x0000000005F40000-0x0000000006558000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5316-2121-0x0000000005A30000-0x0000000005B3A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5316-2122-0x00000000057C0000-0x00000000057D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5316-2123-0x0000000005960000-0x000000000599C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5316-2124-0x00000000059A0000-0x00000000059EC000-memory.dmp

      Filesize

      304KB

      Download