Overview

overview

10

Static

static

3

c64c7b15c0...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c64c7b15c097ac6ad81c3385a74056207641af72f622c2e26ed0bb717cdbc604.exe

  • Size

    534KB

  • MD5

    70638821565c907bc1b6ea35a5696dfc

  • SHA1

    edcf13b873d1ab30cd86187d8671cfdda7b28dfc

  • SHA256

    c64c7b15c097ac6ad81c3385a74056207641af72f622c2e26ed0bb717cdbc604

  • SHA512

    852ea94cc95c96b7a9931f42f883923d54d112d6405237e16f0b800f1d8c83733ecd4abfc76df77b0f153a3ac2a22c7874e266bb6b74c8cf95c98cf580bddeff

  • SSDEEP

    12288:SMroy90dGfOoq3BehyfCmXgjzcbOWr8BwdgrRm4:OySGM3BehyfCagjzUOyuwdcB

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c64c7b15c097ac6ad81c3385a74056207641af72f622c2e26ed0bb717cdbc604.exe
    "C:\Users\Admin\AppData\Local\Temp\c64c7b15c097ac6ad81c3385a74056207641af72f622c2e26ed0bb717cdbc604.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwz7586.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwz7586.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr698655.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr698655.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku494061.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku494061.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwz7586.exe
    Filesize

    392KB

    MD5

    c842580e842fa6240a70fca959f95a0c

    SHA1

    190029f3513655f5b7b5042638e0157fd287d37b

    SHA256

    d715245312b45e93f14709af8d624777902ec619bd7506a7a0c2679c09fe8aec

    SHA512

    3880331881eb06f51e34477be321c9703d9a2da97d552f2b9bd438b7971adcd1d5c54d68da0941402c35af668a138784cc3df8747da845de43c29ae586b8f899

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr698655.exe
    Filesize

    11KB

    MD5

    c8513b7d53039b9d62cb051dd02a8cd7

    SHA1

    0ec1c124f4f850d5bddbe50687a5f478595cda72

    SHA256

    3e6473d3a412ee4e5c80b11f83a429838adb35fee674f62a0a32359fa59c1aac

    SHA512

    fc36e00caa8df16fc91b5b4500f2d712a9cda35fbb2a998b30cb49b99b9cb6a77cd5b3bf67d10e5cbb09ac8540f7cedc598b5f808fa0faa1d0dd3b158aaea096

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku494061.exe
    Filesize

    319KB

    MD5

    8e2677758f082a918a8408cec0d10b89

    SHA1

    dad70289d6865fc55bfb12b3da53cf7251aa4674

    SHA256

    05ceb47cf010fc20f785f0a4a5be6c6c95e348b8812e36adf880bd9d7cf1463b

    SHA512

    ad10ca4b4a3558cd76ad4c46f767d8962cf63af52c6a5d9fe3cdc21bf03aadc869333d0b233697d02472953689ed1c5454e1ae8b1bcb1848d6e0fadf4fe0b6fc

    Download Submit

  • memory/1572-14-0x00007FFE567A3000-0x00007FFE567A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1572-15-0x0000000000240000-0x000000000024A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1572-16-0x00007FFE567A3000-0x00007FFE567A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3520-72-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-60-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-24-0x0000000004AB0000-0x0000000004AF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3520-25-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-88-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-64-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-54-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-40-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-26-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-86-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-84-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-82-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-80-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-78-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-77-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-74-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-22-0x0000000002590000-0x00000000025D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3520-70-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-68-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-66-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-62-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-23-0x0000000004B90000-0x0000000005134000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3520-58-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-57-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-52-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-50-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-48-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-46-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-44-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-42-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-38-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-36-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-34-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-32-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-30-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-28-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3520-931-0x0000000005240000-0x0000000005858000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3520-932-0x00000000058C0000-0x00000000059CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3520-933-0x0000000005A00000-0x0000000005A12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3520-934-0x0000000005A20000-0x0000000005A5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3520-935-0x0000000005B70000-0x0000000005BBC000-memory.dmp

    Filesize

    304KB

    Download