Overview

overview

10

Static

static

3

a7992dea84...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 05:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7992dea8496beacf6ae729b4de36942b928c0110d1ab15db6e1bd5e02fdcd3c.exe

  • Size

    548KB

  • MD5

    13489517561afabc7a532de87aca0ec7

  • SHA1

    d41f94b028c9aa79636546e8207d49b9189dcaae

  • SHA256

    a7992dea8496beacf6ae729b4de36942b928c0110d1ab15db6e1bd5e02fdcd3c

  • SHA512

    9754ec3c184948c13206fe546ea54f32f047471e75055e32db9e14a3bcce611c574c7799f955fc711f86242f3039eff01421ba42bcd1221c1462f3d6e6a3c2af

  • SSDEEP

    12288:dMrNy90zUw8HLUR2+RBHiKvREwpij8iGi8WCIDRNPM28XlYhf:gybweUR2itilwpijB9o2gahf

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7992dea8496beacf6ae729b4de36942b928c0110d1ab15db6e1bd5e02fdcd3c.exe
    "C:\Users\Admin\AppData\Local\Temp\a7992dea8496beacf6ae729b4de36942b928c0110d1ab15db6e1bd5e02fdcd3c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirz0276.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirz0276.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr855312.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr855312.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku656003.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku656003.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirz0276.exe
    Filesize

    395KB

    MD5

    f7b719a5db064eddbc330f6dbcba66ac

    SHA1

    42f8a5d28ce90187815aa6d64d61cee26fdc7bc2

    SHA256

    192cf8ff27077a193debde279cf1d9fc252e0bb78fc847e81ad9cb24e0e95857

    SHA512

    628778edd8e518de24e6a2e1ca0a2a7bf55e5992e2ab975489ba8fe42e50d80a8ca78392b2944048b3bbe1e45ccbadcfa9f4cbbf4ee64f82ee5dd7b6509f0806

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr855312.exe
    Filesize

    11KB

    MD5

    10b1d836c2aff2f058636c0902c924aa

    SHA1

    cee6659e4f9f41f228f053905969e59a3db320cf

    SHA256

    7bfdb27dc61d2da28e22213b80d4697a2deaa7a85632ff335fa7657bcaa696ed

    SHA512

    513c9e1e513e72ce630d227d4425bb75fb63db77bc7f0b3e9db933d22aa12b257d060dba31900670f85339f855b34fe900e8a3f5055cc84d6e51322aa4423d41

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku656003.exe
    Filesize

    348KB

    MD5

    3c4ed7af5ea885fc1610c0ae38666655

    SHA1

    3de28408e9745e19d18a4be4835a42265dceb49a

    SHA256

    5452f72b42b9581b90e84d77ba6a68c77351992f2762ddd95fd8861b7a06b32c

    SHA512

    a40c1d616eb5e77e352c38603cc399efabc27e15a5aea3a06b819baf356b1be5a7a04e34c6575d115b58a7f8807e09705729b6f975a815e756f24c221962c89c

    Download Submit

  • memory/3336-61-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-22-0x0000000004E80000-0x0000000005424000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3336-21-0x00000000028B0000-0x00000000028F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3336-57-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-23-0x0000000004DE0000-0x0000000004E24000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3336-25-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-39-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-88-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-85-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-83-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-81-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-79-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-77-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-75-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-73-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-55-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-67-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-65-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-63-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-934-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3336-933-0x0000000005C80000-0x0000000005CBC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3336-59-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-71-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-53-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-51-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-49-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-45-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-43-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-41-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-38-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-35-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-33-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-31-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-29-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-27-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-70-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-47-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-24-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3336-930-0x0000000005440000-0x0000000005A58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3336-931-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3336-932-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3960-15-0x0000000000180000-0x000000000018A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3960-14-0x00007FFDBC963000-0x00007FFDBC965000-memory.dmp

    Filesize

    8KB

    Download