Overview

overview

10

Static

static

3

758e1a65ca...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    758e1a65ca3890bf7eab681e856f27e493d914ee40b3a0b1e4ebdf502c0f6c28.exe

  • Size

    654KB

  • MD5

    9df930ed1860f7b351f16831d2fefefa

  • SHA1

    acbe9341a7d6c4f35c33c8a9e2e212880c9f6be1

  • SHA256

    758e1a65ca3890bf7eab681e856f27e493d914ee40b3a0b1e4ebdf502c0f6c28

  • SHA512

    5ef3e0d56af1445b0f4a00449cb61cf14884b8b6d0a744423406f45f29ace80c51fb3e2e24a1e5c5922636a6a201cb5cb55d50f8ac24a4fd813c379788567a1f

  • SSDEEP

    12288:FMrXy90S8VmKwATGTQY6DlsCrVTTR9NoCuzwdgwTEAPTZUs82gG+VPzS9W:6yvkmKlGTH6fjuwdg6EA7ZUs8NNzS9W

Score
10/10
healerredlinedizanormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

C2

77.91.124.145:4125

Attributes
  • auth_value

    bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\758e1a65ca3890bf7eab681e856f27e493d914ee40b3a0b1e4ebdf502c0f6c28.exe
    "C:\Users\Admin\AppData\Local\Temp\758e1a65ca3890bf7eab681e856f27e493d914ee40b3a0b1e4ebdf502c0f6c28.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziah3595.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziah3595.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875184.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875184.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku235661.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku235661.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1196
          4⤵
          • Program crash
          PID:5392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr117010.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr117010.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1284
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4760 -ip 4760
    1⤵
      PID:5336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr117010.exe
      Filesize

      168KB

      MD5

      316c0c86c824f69bf2ac18f1d0a1c4bb

      SHA1

      8aedb6be0bb3f4a4273788c0512e465ed270b26f

      SHA256

      909f710405100f8249c9d8035b8f2378d8b0a5126f237ab8f2a65c74d72c272e

      SHA512

      b93607b0ffb9eb3d166914d3fe584af804ef132462713b4a3e16338745071d3cfd201a3f62c66c06e3ee770020f52c2d82203729e1c7b5291ceb6f4f63e16c70

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziah3595.exe
      Filesize

      501KB

      MD5

      5fcf00edf5ca89a156f40a59e8df3727

      SHA1

      ae63919c611748fa5ccdc4ab06a5668dd2f959a1

      SHA256

      e1488c8797500af980108e77690a50dbcef5d1d6c6faaceb77cc763d31effd66

      SHA512

      8d9c9a1b560f9c99c4abc19da000c75bce556d66415ed176d0f67af5aba3b580d6a03f5330899744d703ff62f348022e18820b52783c04a106f2c32e5247ae08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875184.exe
      Filesize

      11KB

      MD5

      7b0fbe84d3289ab5d4eafcdd03198943

      SHA1

      33709765de8f868a98ee45d7d3fe2c06b7477e50

      SHA256

      1aff1121f22fe59c0ef62b97752cfc01a3d9f2e81a70b1c25923f6396b93c941

      SHA512

      eba92b31ce02b2c9e0800392eebc5ddf587f6253c359cd4e0a02371e0a3dd0768aba70e3d2c582280b10e903a80e479d1a8fd2ed62c7e8d82678b8342a92abe1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku235661.exe
      Filesize

      424KB

      MD5

      15064b683eced1893ddd67d2d2d66c04

      SHA1

      223fa955d73d8377c6b9573da16ac2f05eb2ee67

      SHA256

      bf40521c2265b76bb02bc7fac3aeb5963b6a45c86624b03df7bb3389a49d396f

      SHA512

      23dde41f1415f1f97502ac4c99689e8ebaef89c16015eb5fe0277f5fbb5d177f34ad8c2c78521017f450ae4222bc37cdef5e0e7af98a1fd9e5f934640593d856

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1284-2130-0x00000000030D0000-0x00000000030D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1284-2129-0x0000000000F20000-0x0000000000F4E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3940-2118-0x0000000000480000-0x00000000004B0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3940-2120-0x00000000054F0000-0x0000000005B08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3940-2119-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3940-2124-0x0000000004ED0000-0x0000000004F1C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3940-2123-0x0000000004D60000-0x0000000004D9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3940-2122-0x0000000004D00000-0x0000000004D12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3940-2121-0x0000000004FE0000-0x00000000050EA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4508-15-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4508-16-0x00007FFCA4B73000-0x00007FFCA4B75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4508-14-0x00007FFCA4B73000-0x00007FFCA4B75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4760-66-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-42-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-80-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-78-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-76-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-74-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-72-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-70-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-68-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-85-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-64-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-60-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-58-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-56-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-54-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-52-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-50-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-48-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-46-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-82-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-38-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-36-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-34-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-32-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-30-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-62-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-86-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-88-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-40-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-28-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-24-0x00000000052F0000-0x0000000005356000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4760-23-0x0000000004D30000-0x00000000052D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4760-22-0x0000000004CC0000-0x0000000004D26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4760-44-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-26-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-25-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4760-2105-0x0000000005540000-0x0000000005572000-memory.dmp

      Filesize

      200KB

      Download