Overview

overview

10

Static

static

3

8cf9ccd6da...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cf9ccd6da36205ee83da0b0a5e7f6cc91d5bf077df572fab6e7109ae76cd4d9.exe

  • Size

    478KB

  • MD5

    56cbda6826023f3af9c6781e81eb5eb2

  • SHA1

    da2db737b6856bd7495fd7f4965f1ad7c1608c35

  • SHA256

    8cf9ccd6da36205ee83da0b0a5e7f6cc91d5bf077df572fab6e7109ae76cd4d9

  • SHA512

    98230f7393443acef809e5696e74cd194dd63cfbbb5d7cb3b8751d19d0ddc991299da2809cc4462249cc4b3c1ef578b6be44e5b79a87ae6dd8bb4b26bd571316

  • SSDEEP

    12288:CMrmy905CjTVLGuS5c1u31pTHoaPH+yvN5GOMU:gyB5Lj2XTTI8+iNUy

Score
10/10
healerredlinedumuddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
  • Detects executables packed with ConfuserEx Mod 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cf9ccd6da36205ee83da0b0a5e7f6cc91d5bf077df572fab6e7109ae76cd4d9.exe
    "C:\Users\Admin\AppData\Local\Temp\8cf9ccd6da36205ee83da0b0a5e7f6cc91d5bf077df572fab6e7109ae76cd4d9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2529164.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2529164.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0666833.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0666833.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1131425.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1131425.exe
        3⤵
        • Executes dropped EXE
        PID:3616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2529164.exe
    Filesize

    307KB

    MD5

    9c6160862fa8560e45fccebe7fb58749

    SHA1

    69f4d61cc56957de57ee17332d1c3b36afd0508b

    SHA256

    f582bfe6cadebe2a797a4b134f1216b50b186386654a9a2f3b781a9174ff8aa4

    SHA512

    f32f637ac847e32801d1aa0f3838fdb318a8479b3b3b129a7fe23054f2e473f133c3d28d84bf9e379319ac6d6bf037e34eabfe1340973dc7a8430fc7351253d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0666833.exe
    Filesize

    180KB

    MD5

    1ef1ec54bc58c2e7abd5db51dc8dc7d7

    SHA1

    ef792db55d8bcf599bfe29403efe00a1d83da1fd

    SHA256

    d4c37587c865d0bffc9df10e1a538a5f3df434e8df6b287a69d44904d3d3e7a7

    SHA512

    6c617dfc2d07d89354a23d6df8504dffd8ee6655a1f06d1e5d62099494b3810274e835bff7ab68f8c37ef2044436ac2b1b57a226e8d48e4148c0e9dbfd55a5ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1131425.exe
    Filesize

    168KB

    MD5

    9dec018dfb97de39054b74c355bfdc15

    SHA1

    fcf14c4e1ed8b11a36a503b1376906721913a2f1

    SHA256

    8c6754ccfd277249945f93eca2f53aa9c26864400e423a18d3a1e96dc8d59cf6

    SHA512

    a6c179c6a3b3f1e9376dacb214d5221090e4f4a586838dcf9402db17771b0538f51d92b044e36023d3fe0edd2ad2ed4eaf2bf73ad4ee1b2d574051ac03070da0

    Download Submit

  • memory/3616-60-0x00000000028C0000-0x000000000290C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3616-59-0x000000000A3A0000-0x000000000A3DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3616-58-0x000000000A340000-0x000000000A352000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3616-57-0x000000000A410000-0x000000000A51A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3616-56-0x000000000A8B0000-0x000000000AEC8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3616-55-0x0000000002780000-0x0000000002786000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3616-54-0x00000000005A0000-0x00000000005D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4100-31-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-21-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-39-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-37-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-35-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-33-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-43-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-29-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-27-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-25-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-23-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-42-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-20-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-48-0x0000000073C70000-0x0000000074420000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4100-50-0x0000000073C70000-0x0000000074420000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4100-45-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-47-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4100-19-0x0000000073C70000-0x0000000074420000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4100-18-0x0000000002310000-0x0000000002328000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4100-17-0x0000000004A30000-0x0000000004FD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4100-16-0x0000000073C70000-0x0000000074420000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4100-15-0x00000000022D0000-0x00000000022EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4100-14-0x0000000073C7E000-0x0000000073C7F000-memory.dmp

    Filesize

    4KB

    Download