Overview

overview

10

Static

static

3

05b5ea59b9...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05b5ea59b90c94429e3d415b56a87331a50bd3a5f3c4b2174ddb19827fb3fb57N.exe

  • Size

    659KB

  • MD5

    2ae7a284faa420560fe8f11086949680

  • SHA1

    adb22427a48ef1db77bad81aae0922929b167728

  • SHA256

    05b5ea59b90c94429e3d415b56a87331a50bd3a5f3c4b2174ddb19827fb3fb57

  • SHA512

    230f3e2baf3bad3766f3c396fe8640a0c06f583f504149ead62271d54546fc06bee2127244790a2e6bfe0b7bd2f2e8d0ccbb2f630c5e56b3e4d525cf4f6f2b3e

  • SSDEEP

    12288:DMriy90sYaAvzgnZCd8rjGv/WbUdipYXHqw96p:By0LvzgZCdJvyUdipYXHHa

Score
10/10
healerredlinedizonnormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

dizon

C2

77.91.124.145:4125

Attributes
  • auth_value

    047038ed6238aaee09c368831591e935

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05b5ea59b90c94429e3d415b56a87331a50bd3a5f3c4b2174ddb19827fb3fb57N.exe
    "C:\Users\Admin\AppData\Local\Temp\05b5ea59b90c94429e3d415b56a87331a50bd3a5f3c4b2174ddb19827fb3fb57N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixJ2892.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixJ2892.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it824520.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it824520.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr452617.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr452617.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1524
          4⤵
          • Program crash
          PID:548
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp464783.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp464783.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1912 -ip 1912
    1⤵
      PID:4732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp464783.exe
      Filesize

      168KB

      MD5

      8eecb6f8baaf2454bc6669f848bd59d9

      SHA1

      a062da5a1bded7ef2a32d0f42f931166c5c1ea97

      SHA256

      a8136a4d250f19a6544650f7c0455ba9fe3485f78dec419b88afa6a2a1200324

      SHA512

      064bb11c6997377967948a36e15302d7b2c3ac6d623854590673bdc2eff911384a6b7848c41cf82999372cfb587e0529cc203a4c8937daeb4d2661c5d1e138af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixJ2892.exe
      Filesize

      506KB

      MD5

      2784bb3a33d5a6b3ad190a87a0e627eb

      SHA1

      2c3d1824b8a161e5211cfde8f8fb0de8bb762dae

      SHA256

      02a83200d6a5b4f900cb832b0875e257d50252bd56862b654f02ad5e1ce677ea

      SHA512

      8651001a4c0b1289fd770f38a5b92b3a232048513c52d6eee442aca81c7a1af0b098241071339002891dd49068e029d8a333851633f0dc12a5ccb5e824be693c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it824520.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr452617.exe
      Filesize

      418KB

      MD5

      5eed8b4e85d2722cf82ac5f5f5a072f1

      SHA1

      407fe91293e63aaee5392d1eb04b32791b910275

      SHA256

      241defb2ab5c851f372bb764236a9ee4afd3283c343af93da86423637b667e5d

      SHA512

      87e3227e32417fcff2303e8c4b8d628eec1ea7b698da13feb120acda9178b77079bb6308de73ad75d96ef995e0736dd0bf4e7557d24e90d065afb7d921b3fb93

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/1912-56-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-32-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-24-0x00000000051B0000-0x0000000005216000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1912-25-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-76-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-58-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-48-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-88-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-86-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-84-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-82-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-46-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-78-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-74-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-72-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-70-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-68-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-66-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-64-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-62-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-51-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-22-0x0000000002420000-0x0000000002486000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1912-54-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-52-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-60-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-23-0x0000000004C00000-0x00000000051A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1912-80-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-44-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-42-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-40-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-38-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-36-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-34-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-30-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-28-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-26-0x00000000051B0000-0x000000000520F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/1912-2105-0x00000000053F0000-0x0000000005422000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2968-2129-0x00000000005A0000-0x00000000005D0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2968-2130-0x0000000000C60000-0x0000000000C66000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3396-14-0x00007FF900D63000-0x00007FF900D65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3396-15-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3396-16-0x00007FF900D63000-0x00007FF900D65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3968-2118-0x00000000003C0000-0x00000000003F0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3968-2119-0x0000000000B70000-0x0000000000B76000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3968-2120-0x0000000005400000-0x0000000005A18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3968-2121-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3968-2122-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3968-2123-0x0000000004C80000-0x0000000004CBC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3968-2124-0x0000000004DE0000-0x0000000004E2C000-memory.dmp

      Filesize

      304KB

      Download