Overview

overview

10

Static

static

3

d9725d37c9...38.exe

windows7-x64

10

d9725d37c9...38.exe

windows10-2004-x64

10

d9725d37c9...38.exe

windows10-ltsc 2021-x64

10

d9725d37c9...38.exe

windows11-21h2-x64

10

Resubmissions

28-10-2024 23:04

241028-22n2asyhmh 10

03-04-2023 20:18

230403-y3ra9sha28 10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    28-10-2024 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738.exe

  • Size

    658KB

  • MD5

    a8218ad88fa977c148d432a96a626bf6

  • SHA1

    d1b33828fa7491a165bc3307d8f6f4f4755df501

  • SHA256

    d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738

  • SHA512

    577696f114c7b0e7d30bcc311bf87ae2c6f9729eb89b6e3a0f20e449711fa1fd9529b58fc485f4899492241be50f6b452312fa264239354a6bf69e30fcdeb6ef

  • SSDEEP

    12288:DMruy90+UdjGJWxf0kiVxkVuLt8/EwkgU44LzWKKf8vU9oE:5yDWjIeUEuhnXgF42KYiE

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738.exe
    "C:\Users\Admin\AppData\Local\Temp\d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un530290.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un530290.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0318.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0318.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1212
          4⤵
          • Program crash
          PID:2212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7572.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7572.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2216 -ip 2216
    1⤵
      PID:4976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un530290.exe
      Filesize

      516KB

      MD5

      69e08451d317b29cc4ec452fa877491a

      SHA1

      5b6efafa9a95f867a28baf569e91f07d61656193

      SHA256

      d35f42c4c63c7cba0a08c1b2fc498c905b92d9999f0a29daa7e0d19cb1f170b0

      SHA512

      d19f98769def60b2d0afc5de495f4db6c15f7f3a1ccf43d58fb8637bcacc802a7014ad633cb96a7b079f4cbf2fbdbd23c2889632f0655cdea6af10720aeab210

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0318.exe
      Filesize

      235KB

      MD5

      286043e29340f4e9be8245655cfc5544

      SHA1

      acb4ac67aed93f4868adb55919d1687f5c9c06d6

      SHA256

      70f7ea1b6248622dc2595f828feb244e473e96ab9bdfa8d3032554c802f74daa

      SHA512

      8291b19547eb671c5bb9edadc8a59c2366f4e9ea6bd71681d473d3a8fe3156032d1bcc0765a4a7cfc86beb34b48a71b1cfed2f4326a519bd6ba6fac7172fc90f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7572.exe
      Filesize

      294KB

      MD5

      95980a917d5cf6fccefa0382940cf584

      SHA1

      1431f14d21b8dc2acdda68e58b025f08bea94e35

      SHA256

      b108f04a1776fd8397fc21472b789bb59e552e6330cabb2382378377c88fcee3

      SHA512

      2d4d65800783434a7b079d74d952168ec05612633ce4f82f33f52a9e53403c28b7e1c15ef07fa30d015a27ac9bbd5ea32c23db33d19d6c76795d3d975915b7a1

      Download Submit

    • memory/2216-15-0x0000000000700000-0x0000000000800000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-16-0x00000000020E0000-0x000000000210D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2216-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2216-18-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2216-19-0x0000000002470000-0x000000000248A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2216-20-0x0000000004B40000-0x00000000050E6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2216-21-0x0000000005130000-0x0000000005148000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2216-22-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-31-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-49-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-47-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-46-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-44-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-41-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-39-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-37-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-36-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-33-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-29-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-27-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-25-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-23-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2216-50-0x0000000000700000-0x0000000000800000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-51-0x00000000020E0000-0x000000000210D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2216-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2216-55-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2216-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3068-61-0x0000000004C50000-0x0000000004C96000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3068-62-0x0000000005280000-0x00000000052C4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3068-70-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-72-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-96-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-94-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-92-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-90-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-88-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-86-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-84-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-80-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-78-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-76-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-74-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-68-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-82-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-66-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-64-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-63-0x0000000005280000-0x00000000052BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3068-969-0x0000000005320000-0x0000000005938000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3068-970-0x00000000059C0000-0x0000000005ACA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3068-971-0x0000000005B00000-0x0000000005B12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3068-972-0x0000000005B20000-0x0000000005B5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3068-973-0x0000000005B70000-0x0000000005BBC000-memory.dmp

      Filesize

      304KB

      Download