Overview

overview

10

Static

static

3

4202c7e993...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4202c7e993080871972cb559793872eba71c6d52fb86f9f95066330c0427e93e.exe

  • Size

    539KB

  • MD5

    626a2f81cc53613f2bb37adf84fd7c8f

  • SHA1

    bf8b037b875f427c8015b7c9854960c0dc000c22

  • SHA256

    4202c7e993080871972cb559793872eba71c6d52fb86f9f95066330c0427e93e

  • SHA512

    58d73af39fec127775a99838bfd39abd6d0911b9880f17006fa05e7c67bcb3009f4f3e96e177491f716764c5da7a5c74a4a185f0f3da9f3897d8bb3c528bbe05

  • SSDEEP

    12288:xMrFy90V43M16o0msgXGMkw3TayGHE3n9hKbc:kyPM16o0mXw89oo

Score
10/10
healerredlinerumadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ruma

C2

193.233.20.13:4136

Attributes
  • auth_value

    647d00dfaba082a4a30f383bca5d1a2a

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4202c7e993080871972cb559793872eba71c6d52fb86f9f95066330c0427e93e.exe
    "C:\Users\Admin\AppData\Local\Temp\4202c7e993080871972cb559793872eba71c6d52fb86f9f95066330c0427e93e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nND73hi95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nND73hi95.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLc60ym.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLc60ym.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4528
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXx15dF.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXx15dF.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nND73hi95.exe
    Filesize

    394KB

    MD5

    4ba92767dbfa6d953306d364eba15441

    SHA1

    395222258420716d67be50bde0004d2fd78025a9

    SHA256

    30a85c7f451a6a4ec0bc3c5d66d25b80af2005e5a55936da796b534f1d27387d

    SHA512

    95142c9cfb7849165ced8a06304c023bd88dbc2c48ea848fac1110c3430c21e6f22465b2415d0ac878bffbd9db185b95507e27b7ff86f4d187d8a0370ffd5dec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLc60ym.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXx15dF.exe
    Filesize

    316KB

    MD5

    0504fd8249febabd4ac60ffebf01dfc3

    SHA1

    e060f994e98a1d39e66559ca51306ee22abe8418

    SHA256

    13660451a83de8d2fd5b88ad2fe2b4587371dd6f8b3a18c384674bd981373399

    SHA512

    511d2735c2b4bc27ced5d665ac3076bd2a69b66240ff416d90f3306ce5a4f8447342f6413ca5f4207393c4efc9f330d0a8cb9802325e4a4c17d72dea223de00e

    Download Submit

  • memory/3416-62-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-22-0x0000000002580000-0x00000000025C6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3416-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3416-58-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-23-0x0000000004C00000-0x00000000051A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3416-24-0x0000000002670000-0x00000000026B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3416-64-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-66-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-88-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-86-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-60-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-82-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-54-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-78-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-77-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-74-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-72-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-70-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-68-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-934-0x00000000059C0000-0x00000000059FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3416-84-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-933-0x00000000059A0000-0x00000000059B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3416-81-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-52-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-50-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-48-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-46-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-45-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-42-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-40-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-39-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-36-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-34-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-32-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-56-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-30-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-28-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-26-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-25-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3416-931-0x00000000051C0000-0x00000000057D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3416-932-0x0000000005860000-0x000000000596A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4528-16-0x00007FFEF0973000-0x00007FFEF0975000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4528-14-0x00007FFEF0973000-0x00007FFEF0975000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4528-15-0x00000000006F0000-0x00000000006FA000-memory.dmp

    Filesize

    40KB

    Download