Overview

overview

10

Static

static

3

7dcde2b51a...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dcde2b51af7cf5e6e0f14e62c9165e6682ce7f0700dc90b8629754436ee6d23.exe

  • Size

    922KB

  • MD5

    b2534bd420cbfbe94a576764b70aa317

  • SHA1

    0ace5dc147490e96d49dbacfa7a0d22368e0e56b

  • SHA256

    7dcde2b51af7cf5e6e0f14e62c9165e6682ce7f0700dc90b8629754436ee6d23

  • SHA512

    4ab0cb3efd1c418f659510a6c5879964202faac886e835a46bf0a53f337dc079e7557f19b44afa39515365c41889f520bee4333d42c99cbda03c8bb4388bd01a

  • SSDEEP

    24576:gyvFvPLj7jGrIO4VlPwavgHl1VmNdOXOZGy5y:n9v37jq4VlwAgHkd6OZl

Score
10/10
healerredlinedizonnormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

dizon

C2

77.91.124.145:4125

Attributes
  • auth_value

    047038ed6238aaee09c368831591e935

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dcde2b51af7cf5e6e0f14e62c9165e6682ce7f0700dc90b8629754436ee6d23.exe
    "C:\Users\Admin\AppData\Local\Temp\7dcde2b51af7cf5e6e0f14e62c9165e6682ce7f0700dc90b8629754436ee6d23.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIu7360.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIu7360.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziGZ8324.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziGZ8324.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4196
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it585452.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it585452.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4768
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr883228.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr883228.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3404
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:5028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1368
            5⤵
            • Program crash
            PID:928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp326092.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp326092.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1804
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3404 -ip 3404
    1⤵
      PID:1708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIu7360.exe
      Filesize

      659KB

      MD5

      b750438538ba8fa627aa72b44c1174a1

      SHA1

      e2255b76a1295d3ee73c7d5dc157215ac33be766

      SHA256

      8919ac4326b2d96eb25e62a3df93e905673fa4379ab9847266cb98dcf879363c

      SHA512

      a1110e68d683b921250de62b08abfaa0198cb6b66d914381be1cb820ade69dc95401061d9e928077b13cddc30f18354e3eaa177513b7bf7ddd0ff6bf1fa9fa35

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp326092.exe
      Filesize

      168KB

      MD5

      8eecb6f8baaf2454bc6669f848bd59d9

      SHA1

      a062da5a1bded7ef2a32d0f42f931166c5c1ea97

      SHA256

      a8136a4d250f19a6544650f7c0455ba9fe3485f78dec419b88afa6a2a1200324

      SHA512

      064bb11c6997377967948a36e15302d7b2c3ac6d623854590673bdc2eff911384a6b7848c41cf82999372cfb587e0529cc203a4c8937daeb4d2661c5d1e138af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziGZ8324.exe
      Filesize

      506KB

      MD5

      bc18c51d142236f73d6bb2461b21b9b5

      SHA1

      aaa619fdf05f93a7c0cf49d3485f966960415464

      SHA256

      a186b430458268a1d163608f15f12f38a2e24768ec94915c0b1fac1d72492e3a

      SHA512

      41edec28739a5c0fc3e70ca96ed9d599ca9347f1b97d028b55ff619af110dc899241deb6cbe719a711fa7fe1c519d4601d53cb041a78adfee001894ce76ad49b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it585452.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr883228.exe
      Filesize

      418KB

      MD5

      5fc4ae000420519b262af4de36c18220

      SHA1

      07c2dc7ddd9db1ecf683aa4ec0981fb526b468ff

      SHA256

      015a672c5562dcfc8cad5164cc7b24808e27b2752c45265580ffb087dc0fa082

      SHA512

      fc3782a5769598a19ba7dbd86a93d7282db7814d8b4c95dded758a389303f400510fec9c8fa296c12e1a3e4fcc081b55c5ae5cfcc7455fe13f31a851b9cf1849

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1804-2137-0x00000000055F0000-0x00000000055F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1804-2136-0x0000000000DD0000-0x0000000000E00000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3404-63-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-53-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-32-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-47-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-95-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-93-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-91-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-89-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-87-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-85-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-81-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-79-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-77-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-75-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-73-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-71-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-67-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-65-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-31-0x0000000005380000-0x00000000053E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3404-61-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-59-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-57-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-55-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-33-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-51-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-45-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-43-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-41-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-39-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-37-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-35-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-83-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-69-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-49-0x0000000005380000-0x00000000053DF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3404-2112-0x0000000005550000-0x0000000005582000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3404-29-0x0000000002760000-0x00000000027C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3404-30-0x0000000004DD0000-0x0000000005374000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4768-23-0x00007FFEC6423000-0x00007FFEC6425000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4768-22-0x0000000000C30000-0x0000000000C3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4768-21-0x00007FFEC6423000-0x00007FFEC6425000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5028-2125-0x00000000009E0000-0x0000000000A10000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5028-2126-0x00000000052C0000-0x00000000052C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5028-2127-0x0000000005970000-0x0000000005F88000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5028-2128-0x0000000005460000-0x000000000556A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5028-2129-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5028-2130-0x00000000053D0000-0x000000000540C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5028-2131-0x0000000005410000-0x000000000545C000-memory.dmp

      Filesize

      304KB

      Download