Overview

overview

10

Static

static

3

4da138de8b...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c.exe

  • Size

    696KB

  • MD5

    760db1c7e47f33fd7929f5cccf2a50cd

  • SHA1

    9a1afa6fb14608aeb26cc1e82bb33aaf22641ff0

  • SHA256

    4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c

  • SHA512

    3314022c16e9913fbbf8b2c22d738ca6a7fcfef65c8146797f27ad67d4acda5fcf9588fcb2b54896921304cd6991752873867c094a9924843028d61435fa74b4

  • SSDEEP

    12288:uMrwy90CfH0dLgueLtDm2itDWPz4V46tKIDdYM3WdSRXxCLvFHU3qba:+yZELheLtDmvtv66bDCaXGpUn

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c.exe
    "C:\Users\Admin\AppData\Local\Temp\4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209487.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209487.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5617.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5617.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1012
          4⤵
          • Program crash
          PID:1908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2655.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2655.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2340 -ip 2340
    1⤵
      PID:4696
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:1600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209487.exe
      Filesize

      554KB

      MD5

      6babfbd0258ddcab1529ed21f6122237

      SHA1

      43d73550dd54ee07703ff4cae4a5fdbb4ee1f32f

      SHA256

      55ce5b6495d159f02afaddec5932fe2cfa6f23272aa6d50b28106dde5cb33199

      SHA512

      62b4e0c08d2bb9b29513a7e823d23b4fc5602d51d38f24914745ced9086d563d70dcba1ecc4e1650b7eff5e89c7444db418f4a031e8ee40a1bddda7cad7f094b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5617.exe
      Filesize

      345KB

      MD5

      010d718cf36cd555ba2fc1d903beb629

      SHA1

      029bb78a52158f746aedb04d903ced4d0cb0245f

      SHA256

      72cd57d29876562186985c100c2654f7109febbe26dee238050ee5adce405cbd

      SHA512

      85e52ed555155ff3d64b99cf127a3dd305b531350ea4c7d0639b8650374031c6d05d39fff3adb31a2ffd59cd211dd63406651f732235be6232e75d1e8f5ebf47

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2655.exe
      Filesize

      403KB

      MD5

      00c084651522511143ffaa5899512069

      SHA1

      547fd2d1016fdc54caa4af10e4e0021f26a4fad1

      SHA256

      5b2f7272f44d62aa47bca92f5a9b36eab466b765f4a30bb55ffe0aef582e18c4

      SHA512

      c783fe5115ae449f76305e8e858c5621280a7029ae9a192eabd333d34dded512151010de983cac2de5e3bc2a9b64bd946b743e7cbba1eb7252daa6872d78fbcf

      Download Submit

    • memory/1484-75-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-81-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-969-0x0000000007290000-0x000000000739A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1484-968-0x00000000079B0000-0x0000000007FC8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1484-62-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-65-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-67-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-69-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-71-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-73-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-971-0x0000000007FD0000-0x000000000800C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1484-972-0x0000000008120000-0x000000000816C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1484-79-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-970-0x00000000073D0000-0x00000000073E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1484-84-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-85-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-88-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-89-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-91-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-93-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-95-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-78-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-63-0x0000000004E60000-0x0000000004E9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1484-61-0x0000000004E60000-0x0000000004EA4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1484-60-0x0000000004940000-0x0000000004986000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2340-40-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-54-0x0000000000400000-0x0000000002B83000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/2340-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2340-51-0x0000000000400000-0x0000000002B83000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/2340-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2340-50-0x0000000004570000-0x000000000459D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2340-49-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2340-21-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-38-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-22-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-24-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-26-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-28-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-33-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-34-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-36-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-42-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-44-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-46-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-48-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-30-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2340-20-0x0000000004BA0000-0x0000000004BB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2340-19-0x00000000071E0000-0x0000000007784000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2340-18-0x00000000049B0000-0x00000000049CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2340-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2340-16-0x0000000004570000-0x000000000459D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2340-15-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download