Overview

overview

10

Static

static

3

27cca40183...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27cca401832a10fb26ed6c57fe6093da2ee51281eb10c92dd7e3323d98c3bb6b.exe

  • Size

    526KB

  • MD5

    61b13be504d581ec8ab2021711922b06

  • SHA1

    11c1b977bb955fb6eb4360eb7aaab408270fbf80

  • SHA256

    27cca401832a10fb26ed6c57fe6093da2ee51281eb10c92dd7e3323d98c3bb6b

  • SHA512

    b4b6b38c9a8da5e5b16b4dec16305121b6fe35e537b01f0812f09317105e44ab19ff24a6f067ae61e33640802f86ccaa7b85078011c6067990ab5f0a99751a55

  • SSDEEP

    12288:CMrdy90WytUQpIU3zYOvVBPXGuQB1lIm/:ny1mDJDYgVBfGv5/

Score
10/10
healerredlinefuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27cca401832a10fb26ed6c57fe6093da2ee51281eb10c92dd7e3323d98c3bb6b.exe
    "C:\Users\Admin\AppData\Local\Temp\27cca401832a10fb26ed6c57fe6093da2ee51281eb10c92dd7e3323d98c3bb6b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyN8665Zv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyN8665Zv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf44VA99UZ87.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf44VA99UZ87.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf04Li20Yl89.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf04Li20Yl89.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:3740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyN8665Zv.exe
    Filesize

    382KB

    MD5

    393c3d72cb7727f9731753ac13c6522d

    SHA1

    336a340fd002b1eab4f37d2dc71c60649d9c05c5

    SHA256

    40ff6b127881832b4d219fa6b597e6208dd505d70e8df0230d378e15ad83ab3c

    SHA512

    f8d9f3187194f27fddb157e8aff620f1ca4f65c6a04b0e07cd679cf1fdffae96c778ee86da496b0a58b8d165b5d33de622b53cc8830450f793d5929e987a5685

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf44VA99UZ87.exe
    Filesize

    11KB

    MD5

    27ce2d170ab35b1ab3b0cc00b8ae9a69

    SHA1

    b5de7fba219dfad61b56bfbafc3022cf05959bf7

    SHA256

    911c3a02cac4d3f21ce97ddcff973ba819b691c6ef7f117257631022370f731d

    SHA512

    974f63ffb1dfe203463180281d293d7279648a40e60288c9de3b2a49d36315c4120c5ef02873daa91a07257623d79ebfe9907904c8b665eff591a93a439dfe61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf04Li20Yl89.exe
    Filesize

    292KB

    MD5

    bd407beaed8912f6f9f5b269e5a85686

    SHA1

    f9d8fc6c0a1ca9a1e0af1ca278f629994df04b1b

    SHA256

    3fb5f126878146985387aac28dc8b1c17d8ee6ae3630a0c754c135138180d367

    SHA512

    79eca3bfa76f241986888271cbcf4858a6eb2c729b1dbebcf000ae13b9fb1e981360c930e40c39437c027794ecce33d9302e6db93d65208ad6bb458aa1b2ff72

    Download Submit

  • memory/2740-64-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-22-0x0000000004BC0000-0x0000000004C06000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2740-935-0x0000000005C50000-0x0000000005C9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2740-58-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-23-0x0000000004CC0000-0x0000000005264000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2740-24-0x0000000005270000-0x00000000052B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2740-30-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-36-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-88-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-86-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-62-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-82-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-56-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-76-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-74-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-72-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-70-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-68-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-66-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-934-0x0000000005B00000-0x0000000005B3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2740-84-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-933-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2740-80-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-55-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-50-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-48-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-46-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-44-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-42-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-40-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-38-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-34-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-32-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-28-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-78-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-60-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-52-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-26-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-25-0x0000000005270000-0x00000000052AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2740-931-0x0000000005300000-0x0000000005918000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2740-932-0x00000000059A0000-0x0000000005AAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4032-16-0x00007FFA5DAA3000-0x00007FFA5DAA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4032-14-0x00007FFA5DAA3000-0x00007FFA5DAA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4032-15-0x00000000000E0000-0x00000000000EA000-memory.dmp

    Filesize

    40KB

    Download