Overview

overview

10

Static

static

3

cc08490621...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc0849062132b09b0525f8ce66debc8d04d91d90a9f8c040994893b5ea8ffa76.exe

  • Size

    690KB

  • MD5

    be9b041e2130c6e1581b48aa1324bbef

  • SHA1

    eafff7350f613c9ea9b7df9a089dd91ce53c9355

  • SHA256

    cc0849062132b09b0525f8ce66debc8d04d91d90a9f8c040994893b5ea8ffa76

  • SHA512

    63f155964ca5d241853582ca72e70a98a7b991ad6cfd2e59a3ec31454cbc9c0396382a5ff8150a788896ba7509f911573153549352fc9451e50e7b4a18958d95

  • SSDEEP

    12288:1Mrky90mqxoQSYzGH8TmKNdCEsVh5R7MiEgHFKduhXNx8tcLrXGWBqsGoL:xyO1ShymSFOhLtFlxdx8tcvFGoL

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc0849062132b09b0525f8ce66debc8d04d91d90a9f8c040994893b5ea8ffa76.exe
    "C:\Users\Admin\AppData\Local\Temp\cc0849062132b09b0525f8ce66debc8d04d91d90a9f8c040994893b5ea8ffa76.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un852770.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un852770.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1945.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1945.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1080
          4⤵
          • Program crash
          PID:1340
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3602.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3602.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3048 -ip 3048
    1⤵
      PID:5116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un852770.exe
      Filesize

      536KB

      MD5

      f8ccf58b0ad3ff1b6a3749c124b8f97f

      SHA1

      b31c2827e5df5d129c49b1975cd3f9fd9b36f23f

      SHA256

      08e1a183c91be8469c03b586e5c32a2237e1f6a345c60568e6f810ef946a46de

      SHA512

      c14f4a9a0878777074010031cab852698d57d98c926bc5419a61c2c725bed7a9ca492d8d5a36050924e4e84126ddf7a27b6048122c8c94a98ba123dcc0b4cfd1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1945.exe
      Filesize

      312KB

      MD5

      cc951d78426183f650c53c856233715e

      SHA1

      39c3330972f5b3420e64d9ab6c7221d5db900cbf

      SHA256

      66ba050688d3c2b9ed13549aefe77fa06622842cc8e1bc0ff95fdf9e53229885

      SHA512

      979f1d7d9b97f96ab4cb03d2f480c481bb2bbb5e5dddc57438d5cc405f65f80091cef13b571ddf30a3c56612566e0ab05b88c3bd376ce78877463d4426dfb408

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3602.exe
      Filesize

      370KB

      MD5

      eefe8b23ad257f2720f90745d10edeca

      SHA1

      ef4f9869859db7f249ae0a0bf1e8df90bc8b1188

      SHA256

      e964eabb260575edd11e43c4b2f20083509bb617058364d59d4133427bb666d3

      SHA512

      d2433ef006c20df28e7f9bfe71850af8e0e94063b3edc2e672e8ff655059feb026c110656e2b687f644c04a8883b1bd63bf6a2eddc5a1e007941e340e89cca6b

      Download Submit

    • memory/1640-74-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-78-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-970-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1640-969-0x0000000005450000-0x0000000005A68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1640-63-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-64-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-82-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-66-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-68-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-72-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-972-0x0000000005C50000-0x0000000005C8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1640-973-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1640-76-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-971-0x0000000005C30000-0x0000000005C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1640-80-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-84-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-86-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-88-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-90-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-93-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-94-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-96-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-70-0x00000000053C0000-0x00000000053FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1640-62-0x00000000053C0000-0x0000000005404000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1640-61-0x00000000029D0000-0x0000000002A16000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3048-41-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3048-55-0x0000000000400000-0x0000000000802000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3048-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3048-51-0x0000000002340000-0x000000000236D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3048-50-0x0000000000880000-0x0000000000980000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3048-22-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-23-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-25-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-27-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-29-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-31-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-33-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-35-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-38-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-40-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-43-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-45-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-47-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-49-0x0000000002A60000-0x0000000002A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3048-21-0x0000000002A60000-0x0000000002A78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3048-20-0x0000000004EF0000-0x0000000005494000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3048-19-0x00000000027D0000-0x00000000027EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3048-18-0x0000000000400000-0x0000000000802000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3048-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3048-16-0x0000000002340000-0x000000000236D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3048-15-0x0000000000880000-0x0000000000980000-memory.dmp

      Filesize

      1024KB

      Download