Overview

overview

10

Static

static

3

7d12e1fd56...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d12e1fd566b16094887dc5599ddb414854b48e735d1e8453051bd4b732999e4.exe

  • Size

    661KB

  • MD5

    f922427c7dbdf3fdb8fad7a3f0c2ed87

  • SHA1

    739dea9e6b1843b8c0c523faeb56c25ffec1651d

  • SHA256

    7d12e1fd566b16094887dc5599ddb414854b48e735d1e8453051bd4b732999e4

  • SHA512

    592eb5b7e32c9c802adddba381855e870c1e239bf41bc731ac1f4ef029746f0b3df8ebc8188b6223bdb66a4222f6a9566f6c7aeca6b2326b194e4dabe332eb8c

  • SSDEEP

    12288:BMr2y90nkx4/Bw5RfxN9lFJW4OtAl0rLJf4IspiFJn1S0pel3m0B:TysBw7JfV7WAl0Rf4IdnLG2Y

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d12e1fd566b16094887dc5599ddb414854b48e735d1e8453051bd4b732999e4.exe
    "C:\Users\Admin\AppData\Local\Temp\7d12e1fd566b16094887dc5599ddb414854b48e735d1e8453051bd4b732999e4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziej7209.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziej7209.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr972874.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr972874.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku863652.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku863652.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5568
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1380
          4⤵
          • Program crash
          PID:5680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr525837.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr525837.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1564 -ip 1564
    1⤵
      PID:5656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr525837.exe
      Filesize

      168KB

      MD5

      4c59315ea64a444f99bdabe37d1f32cf

      SHA1

      62042e77d53e01210ba4891472cb41f46894e5cd

      SHA256

      fd42b23ba747984521993bba6c9b5f8d9cda99ba313ac6a0d017f94f67cc92e3

      SHA512

      061489505d632a6718616d4c38fda010dcd4ea7d3675d1c95b683d78aab075336ca5ee91186cd3b621019922e26fb0a5837a94fa629ac2301983e60009a470ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziej7209.exe
      Filesize

      507KB

      MD5

      ac7251aafd12fd90d6dabd28d6c68d35

      SHA1

      c8b0005e41b69a0e3e04e8d951104e5e4bb69554

      SHA256

      ba1ac23e28ccd4107ec3a34fe3dd9a1f0760eb1189358b492342c6d0f287c3f3

      SHA512

      39a6db0b76edbd3acb8fc934e01e061ce69cfb30446975cafaddea88c061f40501b29515200c1834a9df077dfab20bf1007cd465ef40bc5bfc55aa40a3bd83b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr972874.exe
      Filesize

      15KB

      MD5

      04f0166ddc9638f728278c0df04e77de

      SHA1

      ff5df00f80b3242498d1399ace13e32b9c002dfe

      SHA256

      b52003f14682955ef2746c8c4d6d9bc7aaf7e68f16e56a3757feb2f24769f9b1

      SHA512

      9296129f076e7ffa5bcdd4b1354c3fb4d6b7ebe8d4f8f09c599cfb9e8862e7bdac82eb6039666d67d60f603ff2fcb1228240a64fa335e946bfde1b8841849ae5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku863652.exe
      Filesize

      426KB

      MD5

      8d14f06e4da4eca5f0b876e5e81aefdf

      SHA1

      b55e82638636f1002b73019f380b1d348315d701

      SHA256

      4a94cb301efb07f439313e97a2ace980ad69049834b2917df6925c7aea353722

      SHA512

      acda6ee6d54a2828078c731cc2e5222800fd24d5b66bf81c9ed62ac1ec7ec980d2a89089c5380f37fd2a32346cae1907b617cf2555d6b03e01d70869c8d7b326

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1564-54-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-86-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-24-0x00000000051D0000-0x0000000005236000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1564-26-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-44-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-88-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-42-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-84-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-80-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-78-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-76-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-40-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-72-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-70-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-68-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-66-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-64-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-62-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-60-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-58-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-46-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-22-0x0000000002550000-0x00000000025B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1564-50-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-48-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-56-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-23-0x0000000004C20000-0x00000000051C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1564-74-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-38-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-36-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-34-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-32-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-30-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-28-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-82-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-52-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-25-0x00000000051D0000-0x000000000522F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1564-2105-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1924-14-0x00007FFB81EE3000-0x00007FFB81EE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1924-15-0x00000000009D0000-0x00000000009DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1924-16-0x00007FFB81EE3000-0x00007FFB81EE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5568-2118-0x00000000001F0000-0x0000000000220000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5568-2119-0x0000000004B10000-0x0000000004B16000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5568-2120-0x00000000051D0000-0x00000000057E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5568-2121-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5568-2122-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5568-2123-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5568-2124-0x0000000004C30000-0x0000000004C7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5752-2129-0x0000000000B60000-0x0000000000B8E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5752-2130-0x0000000005380000-0x0000000005386000-memory.dmp

      Filesize

      24KB

      Download