Overview

overview

10

Static

static

3

b95b987d29...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b95b987d296dc7dab581d99b7c28b882bbd077c00385eb5b7f5fec8d1d8d9d71N.exe

  • Size

    473KB

  • MD5

    e51225531182c11a62584a3899342020

  • SHA1

    326bca9fb80a27585cc510f28154873745f12e38

  • SHA256

    b95b987d296dc7dab581d99b7c28b882bbd077c00385eb5b7f5fec8d1d8d9d71

  • SHA512

    0b6860b6b352daecc7f81677c9cf739472439a6e736d20bad16a3de25a6b72ca319cd71673bb31e80b020204d4798401aa3b33378e7750f7e5e9a291fed0a15e

  • SSDEEP

    12288:/MrMy90BjEe45JUFUBIJGB+vs5nwgos/XmoyR5u:ry8jEe45JUFCcGB+vs5nNo2Gu

Score
10/10
healerredlinemrakdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b95b987d296dc7dab581d99b7c28b882bbd077c00385eb5b7f5fec8d1d8d9d71N.exe
    "C:\Users\Admin\AppData\Local\Temp\b95b987d296dc7dab581d99b7c28b882bbd077c00385eb5b7f5fec8d1d8d9d71N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5235607.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5235607.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7588907.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7588907.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5693974.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5693974.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1356
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1478562.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1478562.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:760
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5235607.exe
    Filesize

    371KB

    MD5

    e41600003f1d3b36a23d3b8a4fb6d8bd

    SHA1

    d14d82b5d256036fd6bdcca98961389a048193ad

    SHA256

    7db6fdadb651c3eefd8290e569a7efd0fe7d50fd826ea9418136e148991f52b5

    SHA512

    790196ddc5a9a3a8dbc736a30314d455201614fce0d0910546671d34a9e6868c8e92d46f3ec57dfd9c65472e0d26af758d3ebb9d8a654c15785fc96d367c175c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7588907.exe
    Filesize

    206KB

    MD5

    bf2b84b09ebe03c1a0254c0ba14e3257

    SHA1

    aacc029a047df22e9a9a93f7eb21f443dcad5e78

    SHA256

    2b7305f5a327d04f13df7af7216898420f95c9785be635927afe5093ea056a4f

    SHA512

    aeff0d9fbf23f9f0c523ac45ffde512a4d55b134acf4ec4d07b3d406e4634297d34264154e147534ea05bdced0313f9f0d584447c01071c8edbf47e8c5f9b69a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5693974.exe
    Filesize

    12KB

    MD5

    4ecf3ff73df3eb539eb28b55fd929abb

    SHA1

    dee98e1d25c1e39592af927080765883f52d07e0

    SHA256

    9d24845dbcd9355edc93e2f98f9ed46a4452b3e40e0fec9370afa51e1397d53d

    SHA512

    4a9198b97b97ec058cf776f3a62eaf71e4a1fc5b7d55d8c33663467d471f20f1bd561b5c33799afddbb906de1575e69768f4e14b3f64ab5b02dcc2c278b27c53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1478562.exe
    Filesize

    176KB

    MD5

    2f0faa047b3462e4e59e12de60a11797

    SHA1

    2baffe8a2900d9150785b761fb4189e59a9d686d

    SHA256

    fad49c1daeecd9880c1e42ef462f8d90223d6689f380232b7c8822a942681ba8

    SHA512

    db9fd56d1a780c55ee52bcc6df54c0cde26c95a0575e9602ef60755185eeb5bffd78d464c82c3b6988b22aba306db199d2158456e3293a94275a6fefac264a36

    Download Submit

  • memory/760-30-0x000000000ADE0000-0x000000000B3F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/760-28-0x0000000000A70000-0x0000000000AA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/760-29-0x0000000002E40000-0x0000000002E46000-memory.dmp

    Filesize

    24KB

    Download

  • memory/760-31-0x000000000A8E0000-0x000000000A9EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/760-32-0x000000000A810000-0x000000000A822000-memory.dmp

    Filesize

    72KB

    Download

  • memory/760-33-0x000000000A870000-0x000000000A8AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/760-34-0x0000000002D60000-0x0000000002DAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1356-23-0x00007FFA738A3000-0x00007FFA738A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1356-22-0x0000000000C60000-0x0000000000C6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1356-21-0x00007FFA738A3000-0x00007FFA738A5000-memory.dmp

    Filesize

    8KB

    Download