Overview

overview

10

Static

static

3

6014df870f...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6014df870fc59a8e4160d9ce90b8eef3b1a0cd900f494a1d91967bf7cb979aac.exe

  • Size

    480KB

  • MD5

    ec008dd1f57d5cc9b36bb22da3fa0c5e

  • SHA1

    3a987b789bf4ddee8e26468bd3afd780f0fb5a0c

  • SHA256

    6014df870fc59a8e4160d9ce90b8eef3b1a0cd900f494a1d91967bf7cb979aac

  • SHA512

    d2cf7539efe6d77487f7bf5919c9cec8141c2f0f2fad6e9c011d889e3c846e7c20c84857ef3e505b62a692748653f71a1141e5cd8b6234bef0c6ee5b4ec3e946

  • SSDEEP

    12288:kMrLy903Why7JQG5c1u31BTSyYTU/lP1mZG:fyuWhyCSXXT5tYZG

Score
10/10
healerredlinemisfadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

misfa

C2

217.196.96.101:4132

Attributes
  • auth_value

    be2e6d9f1a5e54a81340947b20e561c1

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6014df870fc59a8e4160d9ce90b8eef3b1a0cd900f494a1d91967bf7cb979aac.exe
    "C:\Users\Admin\AppData\Local\Temp\6014df870fc59a8e4160d9ce90b8eef3b1a0cd900f494a1d91967bf7cb979aac.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6274940.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6274940.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3510004.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3510004.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3744548.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3744548.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6274940.exe
    Filesize

    309KB

    MD5

    f1656396af3c3836b949fc533644813c

    SHA1

    1058c88e9a4394e027597626d1ced07b8268be07

    SHA256

    962a6852beb1ce4b5dd4e1c8170b40250e9aa5aff225e78cf1af074d388d004f

    SHA512

    b4a177a892992f21bd1c13e176786dcdd85b3ea133807b09d45278f5e3bbdb5ce922d405a2c447a34d6982a167909700870c4f6bb2dc31e482bc3fd103c0470e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3510004.exe
    Filesize

    177KB

    MD5

    562d615bc42d0aed11d3e76139372391

    SHA1

    4c18ed1b28e2400738d3ed22d955153a9346edba

    SHA256

    04aa814bb33173cf817602befab1e7fe3e27cbf65bc57337b567968d881b900d

    SHA512

    8308371d6bcef8402891b6cb1e930c3e48dc7c320e1bcb9873ebf85fca55ac393a468c5cfad324f7f4250381e30588ab07e5871b8f398a2ce3d8019fc659926a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3744548.exe
    Filesize

    168KB

    MD5

    4ba87339ed71b3fcdaa305822610b7c2

    SHA1

    3dcfe8b8b091975a3312d99b5cc4eeee16dd7a4b

    SHA256

    a864c45055adba79be0741753f25306060e86e9c108d1e51a3e31face43c13a3

    SHA512

    247ccb29f4bc7bfe6b42b71fa2995a9ca86ec99f211a03c30fdd0c7717536d4e50da82b2facc3d2af1c4414876088466f50b51162d5249a81be731b36cf16897

    Download Submit

  • memory/552-62-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/552-61-0x0000000004E70000-0x0000000004EAC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/552-60-0x0000000004E10000-0x0000000004E22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/552-59-0x0000000004F00000-0x000000000500A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/552-58-0x0000000005410000-0x0000000005A28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/552-57-0x0000000000C50000-0x0000000000C56000-memory.dmp

    Filesize

    24KB

    Download

  • memory/552-56-0x0000000000480000-0x00000000004AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5008-34-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-46-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-43-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-40-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-38-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-36-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-48-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-32-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-30-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-28-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-26-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-22-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-21-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-45-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-49-0x00000000748FE000-0x00000000748FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5008-50-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-52-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-24-0x0000000002680000-0x0000000002692000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5008-19-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-20-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-18-0x0000000002680000-0x0000000002698000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5008-17-0x0000000004C80000-0x0000000005224000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5008-16-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-15-0x00000000022F0000-0x000000000230A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5008-14-0x00000000748FE000-0x00000000748FF000-memory.dmp

    Filesize

    4KB

    Download