Overview

overview

10

Static

static

3

34206bb820...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34206bb8204852a1f187938ee4d59e672b4291f660290beb7fe664d15d5510a8.exe

  • Size

    496KB

  • MD5

    219896037575f09c1c0e0e379c479491

  • SHA1

    d5c26872ddbd254010d536773f0aacd7eb8897cd

  • SHA256

    34206bb8204852a1f187938ee4d59e672b4291f660290beb7fe664d15d5510a8

  • SHA512

    9d375f49d99a5ac110a609357bf5fe46e07ed8eeaf3cb3fd049d5a8ff6080afc9bf25de1e87560ccc9787c4bc93554ca76a10e88f0f6a8cfa6a51dd7115106e6

  • SSDEEP

    12288:HMrWy90sVsQmT8u9mK4fzPF3YU1pdw8um0FVP5:VyPVuIu9mK4fjF3Y4DumoVP5

Score
10/10
healerredlinenormdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34206bb8204852a1f187938ee4d59e672b4291f660290beb7fe664d15d5510a8.exe
    "C:\Users\Admin\AppData\Local\Temp\34206bb8204852a1f187938ee4d59e672b4291f660290beb7fe664d15d5510a8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr448285.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr448285.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3972
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku944527.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku944527.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\Temp\1.exe
        "C:\Windows\Temp\1.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:352
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1312
        3⤵
        • Program crash
        PID:4048
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4512 -ip 4512
    1⤵
      PID:644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr448285.exe
      Filesize

      12KB

      MD5

      4edc5f5447ec10028c4cd5c94b8f9c28

      SHA1

      c43b5b72c214ef5c31cbc777fa325f91d692be22

      SHA256

      e94afc4f53415ac2feb6dda80d5820ec64f0af1a94781cd3c7e7743e31e7fa09

      SHA512

      a11426332ff00b0168b8c64c8d450d975d263a34d5733b28343db2a0ec36df9b780d6be57bafafef73804701e12040628cd193b559dd627916b57d443c5a3ac9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku944527.exe
      Filesize

      414KB

      MD5

      d8cd606404625d6f28bb982f7d8aed76

      SHA1

      13997033b3be64d5d1469fc727dd15283960f22c

      SHA256

      84d6a3f7dee986a0ff275a1950cbd50d569e20c7000cbb66416b4967a59baeb5

      SHA512

      424b8bae6a194de09ae5dae79ce73616f23f6c4524e869d5d4baf6992e0192dda5b45190fff016785351cd20e002910568a469b84e27db60c6f8cd466ab3c5f8

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      168KB

      MD5

      1073b2e7f778788852d3f7bb79929882

      SHA1

      7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

      SHA256

      c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

      SHA512

      90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

      Download Submit

    • memory/352-2120-0x0000000004D90000-0x0000000004DDC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/352-2115-0x0000000002650000-0x0000000002656000-memory.dmp

      Filesize

      24KB

      Download

    • memory/352-2116-0x0000000005310000-0x0000000005928000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/352-2114-0x0000000000360000-0x0000000000390000-memory.dmp

      Filesize

      192KB

      Download

    • memory/352-2119-0x0000000004D50000-0x0000000004D8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/352-2118-0x0000000004CF0000-0x0000000004D02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/352-2117-0x0000000004E00000-0x0000000004F0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3972-7-0x00007FF94BCB3000-0x00007FF94BCB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3972-8-0x0000000000980000-0x000000000098A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3972-9-0x00007FF94BCB3000-0x00007FF94BCB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4512-62-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-44-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-32-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-36-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-84-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-82-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-78-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-76-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-74-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-72-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-70-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-66-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-64-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-19-0x0000000004CE0000-0x0000000005284000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4512-60-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-58-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-56-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-52-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-50-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-48-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-46-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-20-0x0000000004C20000-0x0000000004C86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4512-42-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-40-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-38-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-34-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-30-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-28-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-26-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-24-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-80-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-68-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-18-0x00000000025D0000-0x0000000002636000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4512-17-0x0000000000400000-0x000000000045E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/4512-16-0x0000000000600000-0x000000000065B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/4512-15-0x0000000000800000-0x0000000000900000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4512-54-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-22-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-21-0x0000000004C20000-0x0000000004C7F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4512-2101-0x0000000005400000-0x0000000005432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4512-2123-0x0000000000400000-0x000000000045E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/4512-2122-0x0000000000600000-0x000000000065B000-memory.dmp

      Filesize

      364KB

      Download