Overview

overview

10

Static

static

3

94feae5e1b...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94feae5e1b840118edb0bb16be769399761887bece75cec3d72e379fda52d3fc.exe

  • Size

    661KB

  • MD5

    b2f4d0b5b5e1090d39a37d8efd7c0eb6

  • SHA1

    c74efa3f75abf7aa1f44423e5624e84da4e5de32

  • SHA256

    94feae5e1b840118edb0bb16be769399761887bece75cec3d72e379fda52d3fc

  • SHA512

    810eb62234fb0aba0763145382c5bbe29eeb92b693230c6eff333b6956d8e952de8264df41c97fbc88d5c1e97974cfe7524977bb0d1b56e5cb8347e05aff4a10

  • SSDEEP

    12288:zMrEy90ou2WwxhDlJXTc2vVunFJMSpwUQxj9OVeWh4QFJdJ6bcZy4oNruGnX9h8P:PyvpWClJXT/uB8G7ak36bcZd2tiP

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94feae5e1b840118edb0bb16be769399761887bece75cec3d72e379fda52d3fc.exe
    "C:\Users\Admin\AppData\Local\Temp\94feae5e1b840118edb0bb16be769399761887bece75cec3d72e379fda52d3fc.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigC3989.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigC3989.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr166478.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr166478.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1388
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku179646.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku179646.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4840
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1188
          4⤵
          • Program crash
          PID:840
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr238984.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr238984.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4032 -ip 4032
    1⤵
      PID:4904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr238984.exe
      Filesize

      168KB

      MD5

      e008de66f131edb4806b6931966baab1

      SHA1

      bdb65a9329feec34bc8f59ae2f13b4c9eb07fd95

      SHA256

      6d7a99e2486e8a78e377969ac671e4c66764e945240e61a21cfea531eeb187d5

      SHA512

      f1ba4caac8bd5c50fc499e2899a1d98b1703d3a00ddc00335f7bddc20472cc1bfe19e84ceb469f2c97173175cc3e5402c9fc5f2a68d611ed8b33ab66c6244988

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigC3989.exe
      Filesize

      507KB

      MD5

      e7e9e86b22d88dfc0c42f9f96d7b3e2d

      SHA1

      4d96f1e8e024ed4b97624a59f8ed785c9a913466

      SHA256

      4d9b5a6554c3c0bfcdd600b7ff7a702e6d3a24ac6f91ac2ad7634d7303049c16

      SHA512

      e9510459ec21597f47a1e5c8380f17ba0b4e0cc040163f797da06083280c601b57d3e3a5ea8611a601d375316ec38443bbed4687dc30612a1d232f210b387d8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr166478.exe
      Filesize

      14KB

      MD5

      bee1f8c4dfede1b1da9ed2098e2cd467

      SHA1

      6ca9ebfb721612ce97e8bb17fd3a61c8e1ee99f4

      SHA256

      97c5f2536eeb371d1a388327a56954f919e2d97bf9f41f171f7489ab38e979ea

      SHA512

      12b6e60efbdc06dab738ce87646b97bb053f2b7fd7c08231a402fcce4083485804fb56cf45d242ad0426e450f4224fd00f2c376e73ccff330843913b561cadf8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku179646.exe
      Filesize

      426KB

      MD5

      630b35a8a1fcdc3dfe6544e5d3eca468

      SHA1

      775ea2badf3020459ee2377286dfd7b8dcbe95ca

      SHA256

      c8110603aa7e1b72d1e4a3ce0cae5d1455ac387e5db4263f53bf32a9cac99ef3

      SHA512

      f8139ea5cee7cb4a0f559543d4a69b4837611d4171277b134958c4dd343d5b3301fcec0fb0096da376cea32503729828dc46f944793eb0c1562db305ab537f9e

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/720-2129-0x0000000000550000-0x000000000057E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/720-2130-0x0000000002730000-0x0000000002736000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1388-14-0x00007FFDF6C33000-0x00007FFDF6C35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1388-15-0x0000000000720000-0x000000000072A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1388-16-0x00007FFDF6C33000-0x00007FFDF6C35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4032-63-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-51-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-24-0x0000000005200000-0x0000000005266000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4032-32-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-57-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-88-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-86-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-84-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-82-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-78-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-76-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-74-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-72-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-70-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-68-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-66-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-22-0x00000000025B0000-0x0000000002616000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4032-60-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-58-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-54-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-52-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-23-0x0000000004C10000-0x00000000051B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4032-48-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-46-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-45-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-42-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-40-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-38-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-37-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-34-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-30-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-28-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-80-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-65-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-26-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-25-0x0000000005200000-0x000000000525F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4032-2105-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4840-2118-0x00000000007F0000-0x0000000000820000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4840-2119-0x00000000029F0000-0x00000000029F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4840-2120-0x0000000005740000-0x0000000005D58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4840-2121-0x0000000005240000-0x000000000534A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4840-2122-0x0000000005170000-0x0000000005182000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4840-2123-0x00000000051D0000-0x000000000520C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4840-2124-0x0000000005350000-0x000000000539C000-memory.dmp

      Filesize

      304KB

      Download