Overview

overview

10

Static

static

3

7e8b0bd025...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e8b0bd0251647c5844290fd452d5adeeabb5daeff1f763dbeacfa14d542402e.exe

  • Size

    534KB

  • MD5

    d9f672a65fe47bc5a5def887845e0722

  • SHA1

    d97dd20c0bf42dcc0b6634e698fdb6550be685b1

  • SHA256

    7e8b0bd0251647c5844290fd452d5adeeabb5daeff1f763dbeacfa14d542402e

  • SHA512

    aba653c8580f92652f89ee921479cb2348c97053ac53d64c65a804952c67d7a9bfd2ac8224c5988a4fb6729a1d0685840f693e8ba90721817e2ee7929c83a21f

  • SSDEEP

    12288:CMr3y90RoTKlE7CfIgvw0zpbqW2AFd1E/Mbn:JyZTKlEuIT0ztqjAFngM7

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e8b0bd0251647c5844290fd452d5adeeabb5daeff1f763dbeacfa14d542402e.exe
    "C:\Users\Admin\AppData\Local\Temp\7e8b0bd0251647c5844290fd452d5adeeabb5daeff1f763dbeacfa14d542402e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKp1672.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKp1672.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077605.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077605.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204573.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204573.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4268
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKp1672.exe
    Filesize

    392KB

    MD5

    33c250c48f3ddd709cc0b339834cf99b

    SHA1

    5519f7be551d9772496bb4991f213183aa4025bf

    SHA256

    4f476e18d8dd9b75e0fdb0773ed398b305a6438b9e1cbbea9892b204690000d2

    SHA512

    9833995d58cccc29a23e986a78d9deb2fa83cd1ca86cd311175bc7abf158ccf689d8fa1ae3b91e7d769365a7dca0dfa8826be8ac83e7153d23ed17504d95dbb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077605.exe
    Filesize

    11KB

    MD5

    ba97a3550b2e12405de53fb87ee74ac3

    SHA1

    c49a8f18ec1f06c81d43105ca9f709633d263b67

    SHA256

    08affa40ce8427a36a74c7389c34b3024154c82a6e99ee28288ee5b2bda10fd8

    SHA512

    ebac208032742df209375fc6645e675782aa9a58aca709c0c90a5a1aecef3d17946d7e2b9d4129d597f701fc63feb6fe6d207d8701b0740686914b5f6b5ea851

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204573.exe
    Filesize

    319KB

    MD5

    268640947cbe1e9f4428babafa09b428

    SHA1

    48dfbb8503f590159d777e5f2510470a3de8259d

    SHA256

    b89b6ca146348a779f00d70a9d7a2f8b33a1bc96ed13b17cd2846ddb6c316165

    SHA512

    dd536146d1aedaae65495abc6af0ab2bcf4717e10cb48418d5ca5f812c7104667dd6d0c6122a3a11bd36d6bf173263031d2740f11ffb52a732ade42388e1d6aa

    Download Submit

  • memory/2840-14-0x00007FF9E7FE3000-0x00007FF9E7FE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2840-15-0x0000000000850000-0x000000000085A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2840-16-0x00007FF9E7FE3000-0x00007FF9E7FE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4268-66-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-56-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-24-0x0000000004AB0000-0x0000000004AF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4268-32-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-50-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-88-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-87-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-84-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-82-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-81-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-78-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-76-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-74-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-72-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-70-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-68-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-22-0x0000000002510000-0x0000000002556000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4268-64-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-62-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-60-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-58-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-23-0x0000000004BB0000-0x0000000005154000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4268-54-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-52-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-46-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-44-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-42-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-38-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-36-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-34-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-30-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-28-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-48-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-40-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-26-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-25-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4268-931-0x0000000005160000-0x0000000005778000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4268-932-0x0000000005790000-0x000000000589A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4268-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4268-934-0x00000000058F0000-0x000000000592C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4268-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

    Filesize

    304KB

    Download