Overview

overview

10

Static

static

3

b39d242e00...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 05:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b39d242e00e8fd718e77ec147a3ef9160a8b2f064b2f04a521590c5ffe216223.exe

  • Size

    1.0MB

  • MD5

    cb1ac9ae48dffa2ef1dc579553c0e72a

  • SHA1

    4d99907fe01c713c2b9a50f88e84507a3a334e7b

  • SHA256

    b39d242e00e8fd718e77ec147a3ef9160a8b2f064b2f04a521590c5ffe216223

  • SHA512

    25627afc018a9ce683b7cefd452e8b5a8f113b8378f2508b898cb8101ff854f84353e3178d4e4fac966a434bf82dec079c2fe8a861a5476bc7fa29b8c4fc5bbe

  • SSDEEP

    24576:gylsBfCtSpmZIStXdi6zSldnDDIupRG6k3BFjADo:nlkfgvZi2SDD0uRG5hA

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b39d242e00e8fd718e77ec147a3ef9160a8b2f064b2f04a521590c5ffe216223.exe
    "C:\Users\Admin\AppData\Local\Temp\b39d242e00e8fd718e77ec147a3ef9160a8b2f064b2f04a521590c5ffe216223.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un790030.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un790030.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un159047.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un159047.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr679774.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr679774.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2160
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1028
            5⤵
            • Program crash
            PID:4112
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu739344.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu739344.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4264
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:6020
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1380
            5⤵
            • Program crash
            PID:560
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk791157.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk791157.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2160 -ip 2160
    1⤵
      PID:1040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4264 -ip 4264
      1⤵
        PID:3704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un790030.exe
        Filesize

        801KB

        MD5

        333c03548d886cbe6e673f206816728a

        SHA1

        425e5c2f0436426badeeacb894194c264b379866

        SHA256

        9299a06bcbb6c4a7eb48e85605c8ceeeebd8fe2594cbb071b81a435fc10dc1d1

        SHA512

        c122cc2dc2173e1872683f9cbda16ab99c6473c551640741c51ace9d3d4d69cfb33d568e70d61d404ae7c9a098ebca076e1899911030d20bec534b8430cc7b5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk791157.exe
        Filesize

        168KB

        MD5

        7b0c11d8c8dc6b5f6f402f68d57c8908

        SHA1

        266eab2844ad8249d63b200873f0141f090b0511

        SHA256

        73954715acff80396881ef5755a3ae4494f28a5977b1e4d720b8500408ce0e96

        SHA512

        9ba44353979cfc68992d3543dbc2f5a30d34c3fbf4045df467c15933be3e89e8d88fb47dc340653a05fe094784e726448ac8d4653fe75e7b8d5d6d6f15238b2c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un159047.exe
        Filesize

        647KB

        MD5

        f8090a5cb50e5e05bfdf4d5d7e8d8384

        SHA1

        24126e2407ff0ba1fee8feba25fa9112d054acdd

        SHA256

        1889035d5a3d58dbf90d2628743c1ad02e33150f88bc480220c3d821cfea034e

        SHA512

        12a50d6f95d7e91a24a6a04e1c7131d22a228db4bd2cd04018ebc976df40f08bb263ad1258ba00565156b334b1aa1125d77f122eaa78645da12069d2c016adb2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr679774.exe
        Filesize

        243KB

        MD5

        1204349112e18aadbcdb088ad4a056b6

        SHA1

        6a0ee0145c9661a40169350db00c59969d6fe5df

        SHA256

        3bbc57179a1a27dbd94819ee3854a635253d3de75199f0e1a34439ce0ea05f75

        SHA512

        f393f01ecd755de9bfce1a3b2aba9a376f36c5900e4c0998089a63a5d487da3c63150c3304905e6d51a8636e0919788b3d9bd40a0740989ef3ff85eef8a2e76e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu739344.exe
        Filesize

        426KB

        MD5

        8c8371a2e2052b8cd84cd49d6a0e9c38

        SHA1

        1039d0eaaddfdec88056caa11ae3b5ee371dbf80

        SHA256

        0d2cb330efe73ce6fb99232b70482e2462f7275922a663f93bfb3885325716b3

        SHA512

        7750ef072175a92b982684b7845760102a483c6d2d8b1da45b5b685f1c21ab8d655529acce89d74299b97e15ba19189f74ab043a968fcf24f9d90d3279a05cb1

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        1073b2e7f778788852d3f7bb79929882

        SHA1

        7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

        SHA256

        c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

        SHA512

        90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

        Download Submit

      • memory/1640-2174-0x0000000005620000-0x0000000005626000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1640-2173-0x0000000000D00000-0x0000000000D2E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2160-61-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/2160-51-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-55-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-53-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-48-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-37-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-28-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2160-56-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2160-57-0x0000000000580000-0x00000000005AD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2160-58-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/2160-59-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2160-62-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2160-27-0x0000000004A40000-0x0000000004A58000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2160-26-0x0000000004B90000-0x0000000005134000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2160-23-0x0000000000580000-0x00000000005AD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2160-22-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2160-24-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2160-25-0x00000000023B0000-0x00000000023CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4264-100-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-72-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-96-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-94-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-92-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-88-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-86-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-85-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-82-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-80-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-78-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-76-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-75-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-98-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-70-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-69-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-2149-0x0000000005400000-0x0000000005432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4264-102-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/4264-67-0x0000000004A60000-0x0000000004AC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4264-68-0x00000000051C0000-0x0000000005226000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4264-90-0x00000000051C0000-0x000000000521F000-memory.dmp

        Filesize

        380KB

        Download

      • memory/6020-2165-0x00000000055A0000-0x00000000056AA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/6020-2166-0x00000000054D0000-0x00000000054E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/6020-2167-0x0000000005530000-0x000000000556C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/6020-2168-0x00000000056B0000-0x00000000056FC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/6020-2164-0x0000000005AB0000-0x00000000060C8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/6020-2163-0x0000000002B30000-0x0000000002B36000-memory.dmp

        Filesize

        24KB

        Download

      • memory/6020-2161-0x0000000000B50000-0x0000000000B80000-memory.dmp

        Filesize

        192KB

        Download