Overview

overview

10

Static

static

3

14047d176f...e0.exe

windows7-x64

10

14047d176f...e0.exe

windows10-2004-x64

10

14047d176f...e0.exe

windows10-ltsc 2021-x64

10

14047d176f...e0.exe

windows11-21h2-x64

10

Resubmissions

29-10-2024 12:21

241029-pjswbatqe1 10

08-05-2023 14:28

230508-rtcm7ach2z 10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-10-2024 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14047d176f59ac37cb5b17949f11c84940f32bcf41ad2c95b22e8821bfb6fde0.exe

  • Size

    479KB

  • MD5

    ddb2fa5da1b2b6554636d6c6ebf24ed2

  • SHA1

    79cc8c380fd0cdccc7bce7712410079fd89de95f

  • SHA256

    14047d176f59ac37cb5b17949f11c84940f32bcf41ad2c95b22e8821bfb6fde0

  • SHA512

    916371cc78a9bcd127b14fb6992d216f2a3d9409ee31492d466e6d855015abd1ab18290db940286f5baa37a04eb59858d0113f6e5a158a06d2dc6b0cefa2df63

  • SSDEEP

    12288:ZMrMy90FRTJp+vGlbqfpuynr+7I1tti4i:Ryu8KaHnT1t0/

Score
10/10
healerredlinedonadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dona

C2

217.196.96.101:4132

Attributes
  • auth_value

    9fbb198992bbc83a84ab1f21384813e3

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14047d176f59ac37cb5b17949f11c84940f32bcf41ad2c95b22e8821bfb6fde0.exe
    "C:\Users\Admin\AppData\Local\Temp\14047d176f59ac37cb5b17949f11c84940f32bcf41ad2c95b22e8821bfb6fde0.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3526722.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3526722.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3753639.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3753639.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7355329.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7355329.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3526722.exe
    Filesize

    307KB

    MD5

    9fa1f2e6500db2a097ea6c40f99b3a78

    SHA1

    59ac9f1f4b2f46586545841676a5c4e6eeb6655e

    SHA256

    6c83e9427c0887200d24a080f309afdbeb2c0c906ca02b4f66b74e40c031ff34

    SHA512

    b7a7bcf4e889d29f2150714e09116fdc3c65fa2afc422b27ad3d7d6e0b1ad6b460515709d24e101c62867c0cbad02139b5136fe5e2c684941baba60ca5cf4939

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3753639.exe
    Filesize

    179KB

    MD5

    139f989158eb46f0f92ee57947d49088

    SHA1

    b7086e945ada7a800dc43c215587417cdbf261cf

    SHA256

    0a16042ba0e3402c35f18887b454b86eb1642d9d48c97cfcdc8e48d30bb6acc6

    SHA512

    f1ce854f2270548c22346348496fbefd4f2099ea9bee20455555d25d87eb835091e1d1882273d9c6d5c66f7b76018733175598531309994aef3244f39fe3b98a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7355329.exe
    Filesize

    168KB

    MD5

    8458e72613c2fbf08d17166dcc461825

    SHA1

    c040009c44e6875772d1c72ccffd029151f387e2

    SHA256

    db47967095b1ecf43845798be6c223564a4d1b31ed15152c3e601fb4ad1be792

    SHA512

    db371c9a5c3728e54306874b001f49c5ab6ecf5618054a265a37916607c5fa330e7568475ce4bfe81caae8cd36625bfce927e434459877af3d10eb4015bdf996

    Download Submit

  • memory/1520-63-0x0000000074090000-0x000000007413B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/1520-62-0x0000000004F60000-0x0000000004FAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1520-61-0x0000000004DD0000-0x0000000004E0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1520-60-0x0000000004D70000-0x0000000004D82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1520-59-0x0000000004E50000-0x0000000004F5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1520-58-0x0000000005360000-0x0000000005978000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1520-57-0x0000000004BD0000-0x0000000004BD6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1520-56-0x0000000000340000-0x0000000000370000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1520-55-0x0000000074090000-0x000000007413B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/4968-42-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-48-0x00000000740DE000-0x00000000740DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4968-32-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-30-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-28-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-26-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-24-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-22-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-20-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-19-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-47-0x00000000740D0000-0x0000000074881000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4968-34-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-49-0x00000000740D0000-0x0000000074881000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4968-51-0x00000000740D0000-0x0000000074881000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4968-36-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-38-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-40-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-44-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-46-0x0000000002400000-0x0000000002412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4968-18-0x0000000002400000-0x0000000002418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4968-17-0x0000000004C80000-0x0000000005226000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4968-16-0x00000000740D0000-0x0000000074881000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4968-15-0x0000000002270000-0x000000000228A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4968-14-0x00000000740DE000-0x00000000740DF000-memory.dmp

    Filesize

    4KB

    Download