Overview

overview

10

Static

static

3

d4d1c7d251...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4d1c7d251e85dab29f24c22925fce5865f567d75062d1449ddc43d3371c06c1.exe

  • Size

    530KB

  • MD5

    65280c80b187aeaed95ba826c2cb1dbd

  • SHA1

    66a4be35e652ca382a1be84c3ce09d81b2e777aa

  • SHA256

    d4d1c7d251e85dab29f24c22925fce5865f567d75062d1449ddc43d3371c06c1

  • SHA512

    aa1d6a5e94775f7529b02bd89a8982ae1c204f6f72479aa1f952c7ca9b328cc99e3203fa09cb1299b73079a0be0646917cdbeb99befc8d2ff81e12b3a818c3e3

  • SSDEEP

    12288:YMrMy90LdC5eoh99gFnXif5KXa/89VJ8YumeVlgPe:kyhZhbi6A/ZHJPe

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4d1c7d251e85dab29f24c22925fce5865f567d75062d1449ddc43d3371c06c1.exe
    "C:\Users\Admin\AppData\Local\Temp\d4d1c7d251e85dab29f24c22925fce5865f567d75062d1449ddc43d3371c06c1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihS2526.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihS2526.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772402.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772402.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku076485.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku076485.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihS2526.exe
    Filesize

    388KB

    MD5

    4b4ae921987b244a8684eb2207c769b2

    SHA1

    f54ad4f1fe7bad66e016295b48d67dec9a52beb3

    SHA256

    c70efe6980e1793de8fb64d2a2825475680993ad5b88cb465d769e534ad55457

    SHA512

    7f0237c89e1dbc33df96b8acf2a54b0d1fa40330207ada8e7f8e9b0213009417385535096be93d6aaf5bfb36f4a7d7a590202a7b7b2e40ed78d867a1b51398c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772402.exe
    Filesize

    11KB

    MD5

    368ec0124c9665b519d34c1595b7b317

    SHA1

    a54a0445f5e0821c7aeba60abc0d98d29e83d130

    SHA256

    d33022bb2b433c20feb369fa8d24e3dcb617ebc58a4c55c986403c9b5669a6b4

    SHA512

    5a1ecaf9d8f769b1b90d2977c346dbad8ea11a8e1e7b34de4b35e7486f18353df36946e81d3441fe17cae7ad7616d09cf0ab60bc26c567e40178e91b528264bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku076485.exe
    Filesize

    434KB

    MD5

    052c44cab8569bbd3be88ba8ecb7e65c

    SHA1

    827cf2c8223140f648268e5dc4d20fd7047ae3c0

    SHA256

    57ac5feb911aaeade064805fd0e133e027dc763fffb96c48a4824107000df3a4

    SHA512

    e426709b27a694689ead09b8aa9d6d03e859cc54f0df4dfcc9e650260403aa13d9c173a83e8b813a28f1fef64bd2461bc7b72670952d925a2791ac8e6cdd188a

    Download Submit

  • memory/4160-72-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-22-0x00000000023A0000-0x00000000023E6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4160-935-0x0000000005C90000-0x0000000005CDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4160-68-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-23-0x0000000004D70000-0x0000000005314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4160-24-0x00000000028A0000-0x00000000028E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4160-30-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-28-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-26-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-25-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-70-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-88-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-64-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-84-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-83-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-80-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-79-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-76-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-74-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-934-0x0000000005B50000-0x0000000005B8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4160-40-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-933-0x0000000004D20000-0x0000000004D32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4160-86-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-62-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-60-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-54-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-52-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-50-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-46-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-44-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-42-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-38-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-36-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-34-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-32-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-66-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-58-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-57-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-48-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4160-931-0x0000000005420000-0x0000000005A38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4160-932-0x0000000005A40000-0x0000000005B4A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5008-17-0x00007FFFABFC3000-0x00007FFFABFC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5008-14-0x00007FFFABFC3000-0x00007FFFABFC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5008-15-0x0000000000D10000-0x0000000000D1A000-memory.dmp

    Filesize

    40KB

    Download