Overview

overview

10

Static

static

3

0cc1d72ad0...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe

  • Size

    689KB

  • MD5

    9c2d2d65e9a4499e90b4f36b688b778e

  • SHA1

    3dda6ca7c341eab0cce5fb8f72fc82de2379fe78

  • SHA256

    0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410

  • SHA512

    eef0b089b4e3dfa7f71d7a71cdb0052b50d4332700e3c1469ed0fd43384fbd17da0f265f7d69dca290c9aed5696cd4dbddc83b79249e0a363f4a82f608724f59

  • SSDEEP

    12288:eMrmy90oWU2EyEZ18KU2PBUDIfUJlPOAeOxs1krf:cycU2rEZGKVPWD7JlPkIs6

Score
10/10
healerredlinerosndropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe
    "C:\Users\Admin\AppData\Local\Temp\0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460833.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460833.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4858.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4858.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3563.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3563.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460833.exe
    Filesize

    535KB

    MD5

    49b438e7a0267a4be444f3813f469b1b

    SHA1

    def27ee6bb3fafa8ebfc6cac51e5f659007e2e0e

    SHA256

    9d22ed9375a8e1bb6715f94027e7c5957322d197fbbf27c4b1a7e89dc6ff5113

    SHA512

    a4fd8f7ce7db877280331f31e26014cb71623c7e32ad160f98d1998e3990b161b2a6337fa99236626c49a7bab74e5030469e5f98f05445e6e4c5703538c5b4e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4858.exe
    Filesize

    312KB

    MD5

    ea30b3777e9f5a69691d02a96b0a18c1

    SHA1

    5c74d770f650859756097247c30d12722bb4f874

    SHA256

    77f53d8da901f29778636d46db2203061c6c0a2157c6b027ccaad7a4bbb2b70e

    SHA512

    939904b57736e7ba32b368f1b1874cc478a6c8fc152c7b2d1730146dab9c44e0afe047a8b06ebacc715adc81002102f8d8fb856a79c634ef7301b41a5907a517

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3563.exe
    Filesize

    370KB

    MD5

    4f395c9c33d09c1f199b2512f3c31184

    SHA1

    08f83c7ffa12fc7f5cbeb618b37334d359936f13

    SHA256

    07f74d40cd0a9c4df52e09f47759f45a18ca43d05d249cd2ba660877cb44c9cf

    SHA512

    ed88c33507bafe82a88f4aa1e1a8def993efc6618e573ff219fdd1907c610261070d728cb3f0a57bfe7e4c36ea4036b1613dc1295e3347e9150f136e09734fdc

    Download Submit

  • memory/1616-92-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-98-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-990-0x0000000002BF0000-0x0000000002C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-987-0x0000000002BF0000-0x0000000002C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-988-0x0000000002BF0000-0x0000000002C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-65-0x0000000000D60000-0x0000000000DAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1616-986-0x0000000073E60000-0x0000000074610000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1616-985-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1616-982-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1616-981-0x0000000005C50000-0x0000000005C8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1616-980-0x0000000002BF0000-0x0000000002C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-979-0x0000000002D10000-0x0000000002D22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1616-978-0x0000000002C00000-0x0000000002D0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1616-68-0x0000000073E60000-0x0000000074610000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1616-977-0x0000000005630000-0x0000000005C48000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1616-102-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-100-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-70-0x0000000002BF0000-0x0000000002C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-96-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-94-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-90-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-88-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-86-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-84-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-82-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-69-0x0000000002BF0000-0x0000000002C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-80-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-78-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-76-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-63-0x00000000025C0000-0x0000000002606000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1616-64-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1616-66-0x0000000000400000-0x0000000000811000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1616-74-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-71-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-72-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1616-67-0x0000000002AE0000-0x0000000002B24000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1804-41-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-54-0x0000000000A70000-0x0000000000A9D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1804-33-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-21-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1804-16-0x0000000000A70000-0x0000000000A9D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1804-58-0x0000000073E60000-0x0000000074610000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1804-57-0x0000000000400000-0x0000000000802000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1804-53-0x0000000000860000-0x0000000000960000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1804-52-0x0000000000400000-0x0000000000802000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1804-51-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-49-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-47-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-15-0x0000000000860000-0x0000000000960000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1804-45-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-43-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-17-0x0000000000400000-0x0000000000802000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1804-39-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-37-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-35-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-31-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-29-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-27-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-25-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-24-0x0000000002920000-0x0000000002932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1804-23-0x0000000002920000-0x0000000002938000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1804-22-0x0000000004E40000-0x00000000053E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1804-20-0x0000000073E60000-0x0000000074610000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1804-19-0x00000000025D0000-0x00000000025EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1804-18-0x0000000000400000-0x0000000000802000-memory.dmp

    Filesize

    4.0MB

    Download