Overview

overview

10

Static

static

3

c18182adea...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c18182adea6595f05e2abad9b3f337140d09e9a863a8246d12d4c920d4e58436.exe

  • Size

    767KB

  • MD5

    258b12be8ce2630edd95e381aff07cb5

  • SHA1

    87dd0694cd1fd875d17fd91ef4d2cf84607911e5

  • SHA256

    c18182adea6595f05e2abad9b3f337140d09e9a863a8246d12d4c920d4e58436

  • SHA512

    f9b5103dcc5e00ac7c56fea89e891d8b12fde757140a702d94be53f14f95b6d02c43b371390a4ecf9167d31c3cb92e64851279eeda2a99b5b633829950fcd1ef

  • SSDEEP

    12288:ry90jh+S5ls4X5d8npIZC9m+JSlAsS8MoaYPn6agXHJfq+y:ry9S3s4JdhZC9m+YlApAJgXJC

Score
10/10
healerredlinedarkgenadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes
  • auth_value

    d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dark

C2

185.161.248.73:4164

Attributes
  • auth_value

    ae85b01f66afe8770afeed560513fc2d

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c18182adea6595f05e2abad9b3f337140d09e9a863a8246d12d4c920d4e58436.exe
    "C:\Users\Admin\AppData\Local\Temp\c18182adea6595f05e2abad9b3f337140d09e9a863a8246d12d4c920d4e58436.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st793346.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st793346.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18839865.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18839865.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp676070.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp676070.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4208
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4800
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1380
          4⤵
          • Program crash
          PID:3388
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr949110.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr949110.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4204
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4208 -ip 4208
    1⤵
      PID:1384
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr949110.exe
      Filesize

      170KB

      MD5

      1605ca38dccb0d823bbebf6cc4be38c2

      SHA1

      aa34c1095bf5de27b143af37179a021d035d5468

      SHA256

      9ee8576e2eabb4bd6d0b95cb8f4eb332ec92bc3d412eb5bd854187a2c947c5a6

      SHA512

      8f3d9fd718ede37075a90327e6d5bd7dfa7f09a6507ba555d2949ef7b1d9c60fdcfe7833722be917c25b3e54b18e9465514e8d21473998d686f6781768579551

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st793346.exe
      Filesize

      614KB

      MD5

      fb18c87ceec51ba4f2e0db1f8e3273c2

      SHA1

      a7ccdc747976acf9bff9dbc2e3c032cbda9e61e1

      SHA256

      702f5acffbcb084061610ad1f50a3d9aa0569d95f7ffe0669131ce4863d4e66a

      SHA512

      d5ec18150f7315dd999cfedfc69fd8c6c997d1c09afebec1159823046cc9184ef3465a5b24cea50979cae91e6424f7e331ef5e1eb4e0a0e7d8eef186baec4cd4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18839865.exe
      Filesize

      176KB

      MD5

      85e431f1a63c85e59c57d5fe96e450da

      SHA1

      9745c221879a1c73c27d5ebb2360d81e4a9be253

      SHA256

      b925a998cca04d5015c40fcff2fd6d9cac1e5ccfb487d0225d041d16c45bbef6

      SHA512

      24d262f3d77a342a28ada7d27e5a7f772d23b831d108955cc3f02ee94d7b331443f1c8bc777a2171337c9f5dc4650954b96ee20f7a8fc0230ac8dec486b2a356

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp676070.exe
      Filesize

      574KB

      MD5

      9a257d8c306adc43fd3aa2f3b14f5cc3

      SHA1

      2a98c7ac57624662a9ab4377adfe518fb183ebca

      SHA256

      e2a326e34b0c5db278f467b0ad47c27a264a96d6e77bbc03b567ee0483a4beec

      SHA512

      46b207798469f2c42a3a5b0bb749ca858b80a57e2c7ceaf6feb0c69e9bbac5303d6584f56822e37c18ff63df43df39999e44bb014ac70903ea72ea9c25a6476c

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      f16fb63d4e551d3808e8f01f2671b57e

      SHA1

      781153ad6235a1152da112de1fb39a6f2d063575

      SHA256

      8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

      SHA512

      fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

      Download Submit

    • memory/2336-14-0x000000007455E000-0x000000007455F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-15-0x0000000002240000-0x000000000225A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2336-16-0x0000000074550000-0x0000000074D00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2336-17-0x0000000004A50000-0x0000000004FF4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2336-18-0x0000000074550000-0x0000000074D00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2336-19-0x0000000004980000-0x0000000004998000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2336-47-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-45-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-43-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-41-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-39-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-37-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-35-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-33-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-31-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-29-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-27-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-25-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-23-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-21-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-20-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2336-48-0x000000007455E000-0x000000007455F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-49-0x0000000074550000-0x0000000074D00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2336-51-0x0000000074550000-0x0000000074D00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4204-2229-0x0000000005520000-0x0000000005526000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4204-2228-0x0000000000D40000-0x0000000000D70000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4208-74-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-91-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-71-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-93-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-69-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-90-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-87-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-85-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-84-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-81-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-79-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-67-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-75-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-56-0x0000000004CE0000-0x0000000004D48000-memory.dmp

      Filesize

      416KB

      Download

    • memory/4208-61-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-57-0x0000000005580000-0x00000000055E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4208-77-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-65-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-63-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-59-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-58-0x0000000005580000-0x00000000055E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4208-2204-0x0000000005770000-0x00000000057A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4800-2217-0x00000000002F0000-0x000000000031E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4800-2218-0x0000000002310000-0x0000000002316000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4800-2219-0x0000000005300000-0x0000000005918000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-2220-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4800-2221-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4800-2222-0x0000000004CE0000-0x0000000004D1C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4800-2223-0x0000000004D20000-0x0000000004D6C000-memory.dmp

      Filesize

      304KB

      Download