Overview

overview

10

Static

static

3

65da1e5d95...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65da1e5d9541987249a0425060f176c0N.exe

  • Size

    706KB

  • MD5

    65da1e5d9541987249a0425060f176c0

  • SHA1

    5606fbcb8c5634c1fd164c792b2150a6dedee655

  • SHA256

    724547007f3886a58e63abd1921c2b5341dc864ee64042632b828378d926e3e5

  • SHA512

    b2764da3ac89d0b0a99f2d8c3b51af8f4e925a9946c5e9c610c9c5cd38593a63cbf940facee156d535115301b614f5a87880279237bbe239b095af21b3e92f3f

  • SSDEEP

    12288:ZMrny90ByiG7k9VHz+eL4/of6f9oIIdm8FJoDG0lzi5gQIuo:WyU3zDL4/ofGj30JoxuTo

Score
10/10
healerredlinejokesdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65da1e5d9541987249a0425060f176c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65da1e5d9541987249a0425060f176c0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5235876.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5235876.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6330473.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6330473.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0475403.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0475403.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 580
            5⤵
            • Program crash
            PID:3608
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6263420.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6263420.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3744
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2552 -ip 2552
    1⤵
      PID:2664

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5235876.exe
      Filesize

      461KB

      MD5

      3031013b0db9711ec901b3053ceec487

      SHA1

      3267803063fb215542a0a13faec5f4f90a037a47

      SHA256

      c19b3ddae590b3e461baab4863b4f6c84a43414eaf25e46606ad55eeb3721a17

      SHA512

      a1ce84d00f130ab7e8480e2bb4d9a81cc013f6f531720143d203af7e4a6daa2de0244de5f77e55f77e7cbb2a3be122b192483d8f275c1156d68de7ff98d12f7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6330473.exe
      Filesize

      295KB

      MD5

      5dd8d42266737d3ab6dfb37664d78deb

      SHA1

      99513ec05b50fb10c0dbedfdbee9e6a9b595bab3

      SHA256

      30a1a0bd8bb10918c5ee102b810343fdcee803f16eff99ea807b50961569eeaa

      SHA512

      82f4fe2e2cd2a080626f6921d00c47e40927648ce469df0c57a704a39bdc53f0a5533dc351df25cd661ef03c5be3476126296b663ce86f56101fc9143d999e14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0475403.exe
      Filesize

      190KB

      MD5

      9456c6ed15325a6c0a02d573614145e7

      SHA1

      74003f751a77dcaf171da5181f0f56aca9987eb1

      SHA256

      125d19dc7457e5d4d4359a4234d95bab0724b8495e1c34bf0ab84a286e61c782

      SHA512

      5da929c6c848f14d74845a4d093e6cb6c93fc703474563da059582d61f826ce3e4ccef8e6766f4a52c620dde39ac725f8c413dd5e9fba341395a10547bb78d32

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6263420.exe
      Filesize

      174KB

      MD5

      22d733df7fd7fe0a68865373b03ebe4a

      SHA1

      2aaea145b4ba20054fe2312277744f4c0f0a647e

      SHA256

      3de234892824ded6a40a7e432c2e311a1920250281ec8a190d78f6ea2757bf61

      SHA512

      dc5612d94c12f88f21612373d6b9c2041f92e11ba45ba2b4842c002bdd6ba8a43945319f6d51e9b5e864e53b8fe346fa45a101afbdbe418b806b86d8fe836378

      Download Submit

    • memory/3028-21-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3744-25-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3744-26-0x0000000002B20000-0x0000000002B26000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3744-27-0x000000000AE10000-0x000000000B428000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3744-28-0x000000000A930000-0x000000000AA3A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3744-29-0x000000000A870000-0x000000000A882000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3744-30-0x000000000A8D0000-0x000000000A90C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3744-31-0x0000000002B80000-0x0000000002BCC000-memory.dmp

      Filesize

      304KB

      Download