Overview

overview

10

Static

static

3

d9e189693f...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-03-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9e189693f51b8451e208914996fdff88faa733a2e23e5d53235153d745dcfe1.exe

  • Size

    666KB

  • MD5

    1deac687b6874a859a92c617d67ad5b7

  • SHA1

    a7774936595b5993c1487c2383e844e9a0263c3d

  • SHA256

    d9e189693f51b8451e208914996fdff88faa733a2e23e5d53235153d745dcfe1

  • SHA512

    d283ba11dc4052b61cfe329d51d5712ff6c6717751560245ef4159f8929cb41d8673e22337600d6119ff4ef5510aa133bcf5c47bbc768c22742f5ab2d081756d

  • SSDEEP

    12288:6MrSy90suTShb8NOE2pLqd/oBht5Yque2QuSqDVbuLvszBCyBR:IyiTShb8NOpwoBhPYnziCbu8CyBR

Score
10/10
healerredlinerouchdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rouch

C2

193.56.146.11:4162

Attributes
  • auth_value

    1b1735bcfc122c708eae27ca352568de

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9e189693f51b8451e208914996fdff88faa733a2e23e5d53235153d745dcfe1.exe
    "C:\Users\Admin\AppData\Local\Temp\d9e189693f51b8451e208914996fdff88faa733a2e23e5d53235153d745dcfe1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plnP35rX27.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plnP35rX27.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bunm10bX23.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bunm10bX23.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cada92qb54.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cada92qb54.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plnP35rX27.exe
    Filesize

    391KB

    MD5

    1ffdf2d6bd53b27c4081eb2ef266bea0

    SHA1

    e3e766d89f05b468d2564755ee3506d185111dc1

    SHA256

    145ed14eec0d30180652d65ee791602dccef14e8b6e88b50e5dfca8b60aa873a

    SHA512

    8cdedc28f72383df6ceda05de4d0257f342718067daf83e5e9d15604b36f262d8f04653532a58ed015ff6f3cc10841100021792f137e38980f08a980f103567d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bunm10bX23.exe
    Filesize

    11KB

    MD5

    f76d83503cb250e7a5afeebdd89ff9a2

    SHA1

    0ace56269b9834ba4caaaa11e2e720eefd47f250

    SHA256

    97712250d663bd2b4e2f93437c9d70e8e593c2192f663f9d086da9fa21387ab1

    SHA512

    f251d38feb1f74742c56fa213ec8fea6fbbe7f3bdafee9d2ad691a8a9ca5cafb7ea09a6e57012d6c0193e68e91b24fc68c1c0f45fe570b5b2840b43270843f43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cada92qb54.exe
    Filesize

    304KB

    MD5

    fc9d1d13726797f824009a1594b5a9c3

    SHA1

    447b53284c76edef32a942621ad7fdfd0f3ce704

    SHA256

    872ecd8396e50afecfef2ee302850acfcf722f27323f6a10417061c8045c6276

    SHA512

    e152fe5fd78221773fb50203a7d48216dac92a5d1df3bbd65d6150d681f4e1ef4a0ab78ddc038bf3c6cbe85d57ccedab901911b4b5fa9489ed4e9435d5021729

    Download Submit

  • memory/4416-14-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4416-15-0x00007FF828BE0000-0x00007FF8296A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4416-17-0x00007FF828BE0000-0x00007FF8296A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-22-0x0000000000750000-0x0000000000850000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5064-23-0x0000000000700000-0x000000000074B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5064-24-0x0000000000400000-0x0000000000590000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5064-26-0x00000000742B0000-0x0000000074A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5064-25-0x0000000002450000-0x0000000002496000-memory.dmp

    Filesize

    280KB

    Download

  • memory/5064-27-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-28-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-29-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-30-0x0000000004CD0000-0x0000000005274000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5064-31-0x0000000002610000-0x0000000002654000-memory.dmp

    Filesize

    272KB

    Download

  • memory/5064-32-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-33-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-35-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-37-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-39-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-41-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-43-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-45-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-47-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-49-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-51-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-53-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-55-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-57-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-59-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-61-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-63-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-65-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-67-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-69-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-71-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-73-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-75-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-77-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-79-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-81-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-83-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-85-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-87-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-89-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-91-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-93-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-95-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5064-938-0x0000000005380000-0x0000000005998000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5064-939-0x00000000059A0000-0x0000000005AAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5064-940-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-941-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5064-942-0x0000000005B00000-0x0000000005B3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5064-943-0x0000000005C90000-0x0000000005CDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5064-945-0x0000000000750000-0x0000000000850000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5064-946-0x0000000000400000-0x0000000000590000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5064-947-0x00000000742B0000-0x0000000074A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5064-949-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-950-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

    Download