Overview

overview

10

Static

static

3

96f7a6e37e...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96f7a6e37ec8eede392563df34208e0a0bf30d5fde1a5b74d679718ba7032b46.exe

  • Size

    537KB

  • MD5

    0627064fb73f91eb79384a2a54e8be1e

  • SHA1

    6fce5e0339d9e7a85984e74778589f02c1ecba1f

  • SHA256

    96f7a6e37ec8eede392563df34208e0a0bf30d5fde1a5b74d679718ba7032b46

  • SHA512

    5a4f7b7d08167f0030582e545d2baca6b0feaff14202fdfbf80f9ed5397cc1094075a210de365be8d639a1228561fe02c2647670ae966166b89cb67ea9d7815b

  • SSDEEP

    12288:YMrjy90qFB/JTqcfUT0EJ0y+5vqFYALBU4q:Ly1FTwTHJeiPK4q

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96f7a6e37ec8eede392563df34208e0a0bf30d5fde1a5b74d679718ba7032b46.exe
    "C:\Users\Admin\AppData\Local\Temp\96f7a6e37ec8eede392563df34208e0a0bf30d5fde1a5b74d679718ba7032b46.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTH0223.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTH0223.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr294775.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr294775.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku440864.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku440864.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTH0223.exe
    Filesize

    383KB

    MD5

    7c52beff400a1cb46e7882129737bf7a

    SHA1

    5299d0cc3f539f5b7ac5e086a2edb9861df292c6

    SHA256

    c4a092f0b77442a70c2619d6477d0d76c3a45e51cc77615ed81839aac149460d

    SHA512

    6092a66473d04eb918e814c070d577bb82a1f15fc29884d1cc0be5bc785dc2ab0b777d4a28ebfa2ebf05b1aaba86086af535d60e14d61e3633158e7c15cdf28e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr294775.exe
    Filesize

    13KB

    MD5

    829084929aaf4f6156f1b3e2b97e5c2b

    SHA1

    bed39868ba6cde3e2c0daa1d45c404879b1f3271

    SHA256

    1d706ab5537d13b880103c53eb673e89e7d45389e1907747b643fff2e9453cc5

    SHA512

    36415819bc95076b080cd8bdcbadae057d1a76a8c93bc86d084ba2a8ea83748ce27b5425202188a3e7991fb70928d88cf75f72d9821ca5a8a02f37bc9369945d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku440864.exe
    Filesize

    311KB

    MD5

    da2b1a2afa277b9e1d671f6b954c3442

    SHA1

    753ab3e98060c2b6f669adcef384fb4cdf1c02e9

    SHA256

    f1933ae4675914abca308efbf64da5cda2dc2ad9478121769d0260e2e27d46e1

    SHA512

    3f3577b6432e49fafdd0516b899af28b247fc2a0f2c0fd6f197f275bc1a793c3d83d11f525eb0bdafc72b9b080de53c648c018c249df69bfa52935e4360e6a20

    Download Submit

  • memory/3044-14-0x00007FFF96863000-0x00007FFF96865000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3044-15-0x0000000000920000-0x000000000092A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3044-16-0x00007FFF96863000-0x00007FFF96865000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4136-56-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-44-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-24-0x0000000004A90000-0x0000000004AD4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4136-48-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-58-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-66-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-22-0x00000000024F0000-0x0000000002536000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4136-54-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-52-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-50-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-46-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-23-0x0000000004B80000-0x0000000005124000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4136-42-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-40-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-36-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-34-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-32-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-38-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-30-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-28-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-26-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-25-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4136-931-0x0000000005130000-0x0000000005748000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4136-932-0x0000000005790000-0x000000000589A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4136-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4136-934-0x00000000058F0000-0x000000000592C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4136-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

    Filesize

    304KB

    Download