Overview

overview

10

Static

static

3

179179c68d...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    179179c68d94ae69e843265e97b829eb2ead32da83c786bbcb76483e59474dfd.exe

  • Size

    660KB

  • MD5

    edfddd0eab2af2e47920d6ec1a8ddc71

  • SHA1

    1766887dc2ea985c328b48739307b8289b062c87

  • SHA256

    179179c68d94ae69e843265e97b829eb2ead32da83c786bbcb76483e59474dfd

  • SHA512

    28ef36d7e9ea2277839e1bde483cc127b994957dffe8982dadfdaddbfc21c3376a73332fd050fc29475bd3268427e2073b7d2035c2471276db02d207b0a4a8f5

  • SSDEEP

    12288:gMr3y90Sjj5zmEUTkASJ7h9OFeOo4QgnkJGbcZWQoIraF9OBGXcGWZ:Hy3sySTT1AGbcZ3SLxslZ

Score
10/10
healerredlinedroznormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

C2

77.91.124.145:4125

Attributes
  • auth_value

    d099adf6dbf6ccb8e16967104280634a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\179179c68d94ae69e843265e97b829eb2ead32da83c786bbcb76483e59474dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\179179c68d94ae69e843265e97b829eb2ead32da83c786bbcb76483e59474dfd.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisg1007.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisg1007.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr358342.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr358342.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku520122.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku520122.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:476
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1376
          4⤵
          • Program crash
          PID:5804
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr604017.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr604017.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4168
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4200 -ip 4200
    1⤵
      PID:5584
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:5728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr604017.exe
      Filesize

      168KB

      MD5

      9dacfe99bd2e423ac26c9204007d3c56

      SHA1

      ee58328a6bcf19db3dc2a25515a54691a0955ccd

      SHA256

      d0ca4b693dd8aeea2bd19cf27eaa10fee9d2d4498fc023e4f9dc6b90009f33fb

      SHA512

      ac1f0f9ea3240db7c5f6d4054bb2b9d5fedb46e4bea04e8b2d1767083189c5d604d698f63d098ca39dd75086317ca88564652e87e61f81dbccd029b29fadf74a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisg1007.exe
      Filesize

      507KB

      MD5

      7e4fa6745ce518d4dfb9337a29b07d9a

      SHA1

      ccf63f91ec98e855b704cd599641af0fe215ea26

      SHA256

      f4ce776cbbfdfcfbc5f083bb4ae05e6bb8b30ef45b07e6ab325f73a7c957a94c

      SHA512

      239b4fb333e6db0357f859bb1223f58b310db09fa4c13ea09efe9800ac6530268c6e2653ec7fe4007666059f7edf5ad73e2fdf58b708148ab0a473011764b091

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr358342.exe
      Filesize

      14KB

      MD5

      b516526c6da6f8f5d12892e2cb223888

      SHA1

      09dcc30c84751a4bdc74bf998324a5045c72d611

      SHA256

      4b3921aaede4b1a4b79819975ed1122824864bf230669f0631e255715c8042f7

      SHA512

      b687d2fb6c52335562c652b2b1ef5a0b71ebd282010150134aba1bdcec115f7869778048701af237de45f3f1daa84bab493d3f2e866b090d855f33f0114d565d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku520122.exe
      Filesize

      426KB

      MD5

      06e51203f9f4a6a416852e7cae549c4b

      SHA1

      68c6b361fe1e827c6573b4f420646ace586defb1

      SHA256

      393e6099da0c312e913ff78cd32ffdce7b4636098dea031ebc5583e69599ba68

      SHA512

      294db78b470318b7980eebf516f9b884e24acaa5e5155711910dec7aa33268d99f9023ca192e8c966f39b8cd3b4dc7f73fff105e1329c3f0e9c205c7443d58d5

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/476-2118-0x00000000002A0000-0x00000000002D0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/476-2120-0x0000000005220000-0x0000000005838000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/476-2119-0x0000000004B80000-0x0000000004B86000-memory.dmp

      Filesize

      24KB

      Download

    • memory/476-2124-0x0000000004E20000-0x0000000004E6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/476-2123-0x0000000004C80000-0x0000000004CBC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/476-2122-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/476-2121-0x0000000004D10000-0x0000000004E1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1788-14-0x00007FFCB57A3000-0x00007FFCB57A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1788-15-0x0000000000990000-0x000000000099A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1788-16-0x00007FFCB57A3000-0x00007FFCB57A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4168-2130-0x0000000002420000-0x0000000002426000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4168-2129-0x0000000000190000-0x00000000001BE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4200-66-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-42-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-80-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-78-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-76-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-74-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-72-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-70-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-68-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-84-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-60-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-58-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-56-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-55-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-52-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-50-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-48-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-46-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-44-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-82-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-40-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-38-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-36-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-34-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-32-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-28-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-86-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-88-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-62-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-64-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-24-0x00000000052F0000-0x0000000005356000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4200-23-0x0000000004D30000-0x00000000052D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4200-22-0x0000000004CC0000-0x0000000004D26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4200-30-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-26-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-25-0x00000000052F0000-0x000000000534F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4200-2105-0x0000000005540000-0x0000000005572000-memory.dmp

      Filesize

      200KB

      Download