Overview

overview

10

Static

static

3

56172f7742...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56172f7742a5588ac0eb99851777f9fd0eb81bf1f50e921c1baa9e71eee7ab12.exe

  • Size

    660KB

  • MD5

    aad54e4e8a808723f7e950b32eac6e82

  • SHA1

    add53241bda9e1e761ea84c24363de8fd16b1b22

  • SHA256

    56172f7742a5588ac0eb99851777f9fd0eb81bf1f50e921c1baa9e71eee7ab12

  • SHA512

    c09c29eedd9d70c7c96d9a0b192fa9b26e62a5db1331cff3d0218b27ed8e537ee2f4b1ae728bfe9b2bcf0dee9cbf69052bc396f681a20b455426052600025294

  • SSDEEP

    12288:jMrYy908w6QR81XZp2fQyF+mmnXTskUb5c4Yo4hzUxUUJNZ54:Xy6fdFsXTJwcmKUxUCn54

Score
10/10
healerredlinedoztnormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

dozt

C2

77.91.124.145:4125

Attributes
  • auth_value

    857bdfe4fa14711025859d89f18b32cb

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56172f7742a5588ac0eb99851777f9fd0eb81bf1f50e921c1baa9e71eee7ab12.exe
    "C:\Users\Admin\AppData\Local\Temp\56172f7742a5588ac0eb99851777f9fd0eb81bf1f50e921c1baa9e71eee7ab12.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQW1673.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQW1673.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr565217.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr565217.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku033492.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku033492.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:6244
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1384
          4⤵
          • Program crash
          PID:5332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr309586.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr309586.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:6280
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1304 -ip 1304
    1⤵
      PID:5380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr309586.exe
      Filesize

      169KB

      MD5

      37e944fe7d4858abe1de2d8824c69693

      SHA1

      d3b6df8377115f0be7f7b8277825dd221b8d1778

      SHA256

      2cf93dec709f7931db0ba7a99a01ddecbe5e77a8dc4d0e6c4db3624eab2c883c

      SHA512

      183a4271c3a65e990e02efa2b5245c7eea7657438a8b430b7121d7f61795cb5622aae4aecfa80c786c2722701dca93a78ab64e3acfc5c42e45f6dbd3c6434718

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQW1673.exe
      Filesize

      506KB

      MD5

      818468cea5075bf82ea4e1dd050162bb

      SHA1

      b9f7e42ecba83d229341a5b52fe5614d50743030

      SHA256

      affd10cb64e7972e593d72412c2837015827ca6517027b5e5c3e65b63bbfb74d

      SHA512

      8d1274f95956bd99574337811d0c2467893a7b3237f4b7a665b5b24560df69b623358797c5639bfa9aa24476b33d7c24dac1e13a528a64cedddd910bfda58d04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr565217.exe
      Filesize

      13KB

      MD5

      eb076c960658dcda13a21fbcc848ff38

      SHA1

      554f452f6e0bba9b465a88e16cf26b993ba8fa89

      SHA256

      8c2f60419e662d80a6df6a6e1760d1a890ad3f7fe82e291599a4b89ec67637c3

      SHA512

      a664f7d8d512aa806fbcfdf94bd657943bcb07ec7a444ff87c5b2fc8b985ff152aa08b87c654a678bd843393516a7355e5e7adede44b2a759a297b27fdbad0bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku033492.exe
      Filesize

      426KB

      MD5

      b5c14f1347dcb62a98e95ec7f6d63dbb

      SHA1

      3479379233d0d2f9c40a0d4d55d828fda6243a17

      SHA256

      816ea65a67b18efff06abd318e40678af76cd5cb8b6d702a0570dcf52de09114

      SHA512

      f0ec440f165b8f9cde964f4a0f4f8897b60046f3d970cc289246ee3b318d3ef50540bc8ca55ee3107788e02c00b546f210078ca738109539e2bc6a992da62200

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/556-14-0x00007FF8CDA43000-0x00007FF8CDA45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/556-15-0x0000000000A00000-0x0000000000A0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/556-16-0x00007FF8CDA43000-0x00007FF8CDA45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1304-22-0x0000000002690000-0x00000000026F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1304-23-0x0000000004E10000-0x00000000053B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1304-24-0x0000000004C40000-0x0000000004CA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1304-28-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-26-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-25-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-34-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-84-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-83-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-80-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-78-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-76-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-74-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-70-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-68-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-66-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-62-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-60-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-58-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-54-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-52-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-50-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-48-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-46-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-44-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-42-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-40-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-38-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-36-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-32-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-30-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-88-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-86-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-72-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-64-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-56-0x0000000004C40000-0x0000000004C9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1304-2105-0x0000000005550000-0x0000000005582000-memory.dmp

      Filesize

      200KB

      Download

    • memory/6244-2118-0x0000000000B70000-0x0000000000BA0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/6244-2119-0x0000000005390000-0x0000000005396000-memory.dmp

      Filesize

      24KB

      Download

    • memory/6244-2120-0x0000000005B90000-0x00000000061A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/6244-2121-0x0000000005680000-0x000000000578A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/6244-2122-0x00000000053E0000-0x00000000053F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/6244-2123-0x0000000005570000-0x00000000055AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/6244-2124-0x00000000055B0000-0x00000000055FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/6280-2129-0x00000000005D0000-0x0000000000600000-memory.dmp

      Filesize

      192KB

      Download

    • memory/6280-2130-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

      Filesize

      24KB

      Download