Overview

overview

10

Static

static

3

10726662c9...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10726662c90668d5ff3c16c71205e92180d1d3816cc2bcc2333d53b31f76ee0a.exe

  • Size

    548KB

  • MD5

    c08d894c88e77428d160bc7609cae245

  • SHA1

    4e4018a1cd85ac51521727f531cdb96f6611570d

  • SHA256

    10726662c90668d5ff3c16c71205e92180d1d3816cc2bcc2333d53b31f76ee0a

  • SHA512

    0552274fc22163bd946a8acb3c47de74c286a945920ffaa8c5cb9464d6793ab2bc6da4f9b07fbd46b670d34d2137394487b888c823b93b1689cc9b3aa3064e89

  • SSDEEP

    12288:lMrKy90IarhdLJuKabJLmU9QKGLbnCRsJnn3KxfD:/y9az11KgLbC0n3ID

Score
10/10
healerredlinerosndropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 18 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 18 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10726662c90668d5ff3c16c71205e92180d1d3816cc2bcc2333d53b31f76ee0a.exe
    "C:\Users\Admin\AppData\Local\Temp\10726662c90668d5ff3c16c71205e92180d1d3816cc2bcc2333d53b31f76ee0a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7134.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7134.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1080
        3⤵
        • Program crash
        PID:1344
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu1886.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu1886.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5060 -ip 5060
    1⤵
      PID:2572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7134.exe
      Filesize

      291KB

      MD5

      9a8322ec69fd7093a5c385de30fde791

      SHA1

      e82b4cfbaf2ed207f1902df711f12d17bf361000

      SHA256

      405b6271cc7fd71d93c38c9195e39ddf406a2dbceb62866bf8f3a26eea952a54

      SHA512

      1a735bf24e32ea820b31212024ff68e1c257ece32dd8cab1bf843772d8e7d755696cd45e60865c41bd431dfae741a0b9ce557762f884b06cc82d90c0c9c25e3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu1886.exe
      Filesize

      350KB

      MD5

      3a9013935dc8dbf2dc2058933e8e3702

      SHA1

      a06750885c4d09e6505b0ba96ce0b034ae899289

      SHA256

      ce11a188e394dc80b0395a2c9144102a7033f8ee820f81b162503ad32d69c406

      SHA512

      1c55f5dbed0e33b4ac5bf619590c615b3a7f97be4b902ffaffe7b760eb3f642aae9a5d823fa8877dff51741b6d0cbef6ea63a53ce9a80a74f0ddd03a22d15f6b

      Download Submit

    • memory/3496-84-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-96-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-987-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-986-0x0000000073BF0000-0x00000000743A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-985-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-63-0x00000000007F0000-0x000000000083B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3496-62-0x0000000002720000-0x0000000002766000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3496-982-0x0000000000A40000-0x0000000000B40000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3496-980-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3496-64-0x0000000000400000-0x000000000071A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3496-979-0x0000000005C90000-0x0000000005CCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3496-978-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-977-0x0000000005C70000-0x0000000005C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3496-976-0x0000000005B30000-0x0000000005C3A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3496-975-0x0000000005500000-0x0000000005B18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3496-100-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-98-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-66-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-94-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-92-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-90-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-88-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-86-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-82-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-80-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-78-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-76-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-74-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-72-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-69-0x0000000073BF0000-0x00000000743A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-70-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-67-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-68-0x0000000004D50000-0x0000000004D8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3496-61-0x0000000000A40000-0x0000000000B40000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3496-984-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-65-0x0000000004D50000-0x0000000004D94000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5060-34-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-18-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/5060-14-0x0000000004ED0000-0x0000000005474000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5060-9-0x00000000007E0000-0x000000000080D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5060-56-0x0000000073BF0000-0x00000000743A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5060-54-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-53-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/5060-52-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-51-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-50-0x0000000073BF0000-0x00000000743A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5060-48-0x0000000000A70000-0x0000000000B70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/5060-46-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-44-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-8-0x0000000000A70000-0x0000000000B70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/5060-42-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-40-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-38-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-36-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-10-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/5060-32-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-30-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-28-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-26-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-24-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-22-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-20-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-19-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-17-0x0000000004DE0000-0x0000000004DF8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5060-13-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-16-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-15-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-12-0x0000000073BF0000-0x00000000743A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5060-11-0x00000000025E0000-0x00000000025FA000-memory.dmp

      Filesize

      104KB

      Download