Overview

overview

10

Static

static

3

3116e2c2d9...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe

  • Size

    533KB

  • MD5

    903f2cac40f0a99a881598d021f04181

  • SHA1

    93f180a370e84b8fd8802dc0eaec6de87f32b4a7

  • SHA256

    3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff

  • SHA512

    99beeef0abeb925c32b49d162263dbdb5c0219c7170da78148d665731df82a6aff1fc5a9ee4096e9a035c7c41f3a50d47a66d129ca998e68a20aed568df267f0

  • SSDEEP

    12288:PMriy90WeLgl/uwiyCfR9p3LqjgAzSnWIP8s:ZyyaRbCZ9p3Gj1sJUs

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe
    "C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe
    Filesize

    391KB

    MD5

    286d00fb8774d77afe60a360e7f4e638

    SHA1

    7a973b498926bd4ede517655cb99f300f5448613

    SHA256

    583bc816d0fc868a5ff89191c8596f4320d5c0745ae36aa877e33a23355723b1

    SHA512

    82b865e0276661fc757b441e1630d843bf973dcab65d0ea9aae6b90315f2a0e58d12b09cf6980afcb2e7f911550398025a528426be73115d66baf499bc8d7a27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe
    Filesize

    11KB

    MD5

    3caf74acb68fcc62c6dcc0dd5420869e

    SHA1

    dbc6b3a729425c24d73516cd0274339b9f1bb25e

    SHA256

    378104be760b6a5d2adbbd549c9490780cf44e88c6a668cddaee10b2407fedfb

    SHA512

    dc852a47eeb26c4396061f3bb725955657cb4d7d1a911fb6b23aebf1902803090e05bcd32bd0ab45ee6401403a0b15572e56ec03e46d83148276a2ba5539c666

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe
    Filesize

    359KB

    MD5

    9043eaa2b512bb2be5f17eb770a0f8a1

    SHA1

    4dd199f5dabda70b804d0ebb36752e15a2c3d0ba

    SHA256

    c2e1703e3bc04b0354f429885401bedfdc56f9f65cb9727a804e5850397f0813

    SHA512

    9270acb905231ba870631c427c00ef0ee0fe924e306753ce4caa4dcef5d8b97c7a02849586b312efbd326887edc5f6dd67d5d7d1159a729a7fa804b7a2aff8a0

    Download Submit

  • memory/776-62-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-22-0x0000000003B20000-0x0000000003B66000-memory.dmp

    Filesize

    280KB

    Download

  • memory/776-935-0x0000000007080000-0x00000000070CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/776-56-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-23-0x0000000006090000-0x0000000006634000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/776-24-0x0000000006690000-0x00000000066D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/776-60-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-74-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-88-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-86-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-58-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-82-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-54-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-78-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-72-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-71-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-68-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-66-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-65-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-934-0x0000000006F30000-0x0000000006F6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/776-84-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-933-0x0000000006F10000-0x0000000006F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/776-80-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-52-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-50-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-48-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-46-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-44-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-40-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-38-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-37-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-34-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-32-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-76-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-42-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-30-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-28-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-26-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-25-0x0000000006690000-0x00000000066CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/776-931-0x0000000006730000-0x0000000006D48000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/776-932-0x0000000006DD0000-0x0000000006EDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1596-16-0x00007FFA7BA83000-0x00007FFA7BA85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1596-14-0x00007FFA7BA83000-0x00007FFA7BA85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1596-15-0x0000000000840000-0x000000000084A000-memory.dmp

    Filesize

    40KB

    Download