Overview

overview

10

Static

static

3

f622c24d4a...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f622c24d4a1fcfc82221bf4d23a3658775c020bb7d5ddc9037ca8fc60f2224c1.exe

  • Size

    530KB

  • MD5

    1f87e52e0d226f6988ae25e84f35171d

  • SHA1

    1f16794a1dfcff02914b57d587ac97039f6ca59f

  • SHA256

    f622c24d4a1fcfc82221bf4d23a3658775c020bb7d5ddc9037ca8fc60f2224c1

  • SHA512

    ba5167deeba4c7baac9e51b1de52d076f9c96832947e02f19e15985f96dfd6f9c1a7574756cf8e5ec62c142a9a34fffa74787803b8be597e6bdea36c49d0e4e9

  • SSDEEP

    12288:EMrQy90WbuA1UhYDhvIQ9JtWbvzHvIzWOE83xu2WczohyjNH:UysxYDhLJ4gWOE8BuHczohy5H

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f622c24d4a1fcfc82221bf4d23a3658775c020bb7d5ddc9037ca8fc60f2224c1.exe
    "C:\Users\Admin\AppData\Local\Temp\f622c24d4a1fcfc82221bf4d23a3658775c020bb7d5ddc9037ca8fc60f2224c1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCl1370.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCl1370.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr794920.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr794920.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku704461.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku704461.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCl1370.exe
    Filesize

    388KB

    MD5

    c50dfa8dd6ec4c36c347fd59c4055215

    SHA1

    dd069f463eac92f6b5879f8f71edbc2b5f08d2e4

    SHA256

    1b2927c3096ca7b5516f225f92ce80bd2f507e15f571d66c821382551d314c12

    SHA512

    89f6247a05c6f0f78ea573ca4ca3bc3676162fc1f63e7713268a2cc776c889457dec6b4d2cb6b4e4ab58a06d0526f0e3d300500a173154bf153c13d40eff9cf7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr794920.exe
    Filesize

    11KB

    MD5

    8db517a16ebdd8bc54e557b002b0fc1c

    SHA1

    f23385de2e2a05e6010dd0c583ef6fc6f47109db

    SHA256

    aef1e9ca653d58553644f52169f982117fa33b89bb93d8a194f241dfa1c740cb

    SHA512

    05425e9d559cf1092f149f6888b4a694e52bb9b37ed58ffb01e2c7894b6c8b7f21c05983342b6c2480c3c5babb00afc9ef8ea10c1cb3c021ab909a37f3fa6a9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku704461.exe
    Filesize

    354KB

    MD5

    facb926b426a9e15c22833df033f9284

    SHA1

    2ca28762126e7902d540fc5052648f8c272fe642

    SHA256

    aace58cc1b7245d856937d7cc2115c275343161d1f847f2658b14b75d1b12ee4

    SHA512

    62baefcdec8429059169516b4352088b8f2f80e036efc3b166edbd3ff8b23ef7b8f0508e8e2e121cc3d4395e64b5ac0d0b7d181cf8fcf33efbff072daf7789ed

    Download Submit

  • memory/3208-64-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-22-0x0000000004AB0000-0x0000000004AF6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3208-935-0x0000000008110000-0x000000000815C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3208-58-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-23-0x0000000007210000-0x00000000077B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3208-24-0x0000000007180000-0x00000000071C4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3208-38-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-40-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-88-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-86-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-62-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-82-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-56-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-78-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-74-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-72-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-70-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-68-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-67-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-934-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3208-84-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-933-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3208-80-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-55-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-52-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-50-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-49-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-46-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-44-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-42-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-36-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-34-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-33-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-76-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-60-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-30-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-28-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-26-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-25-0x0000000007180000-0x00000000071BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3208-932-0x0000000007E60000-0x0000000007F6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3208-931-0x00000000077C0000-0x0000000007DD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3916-16-0x00007FFF287C3000-0x00007FFF287C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3916-14-0x00007FFF287C3000-0x00007FFF287C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3916-15-0x0000000000260000-0x000000000026A000-memory.dmp

    Filesize

    40KB

    Download