Overview

overview

10

Static

static

3

6d19762d9d...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d19762d9d43d7d688b9969a275df2a20e937370bf20414116ec8e5c7b08d869.exe

  • Size

    530KB

  • MD5

    87b114f3c914721e8c99f22ee9cb372e

  • SHA1

    14540d978e1329ae9b594ced547ade6c456517e6

  • SHA256

    6d19762d9d43d7d688b9969a275df2a20e937370bf20414116ec8e5c7b08d869

  • SHA512

    f76c41972556db81c3f852eecff57ae88356c203c15513be6b37972cf891e4c243c3b45b6c5cc859313eeca52fe14118318019f7fefee5cbed2de77b32bbad51

  • SSDEEP

    12288:BMrWy90h1V2b1WDKVL4hyMmSySjAbHBajeQtqBZX1Npiiyt:nyQXFYkhyYyS9aQ8v1Nvyt

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d19762d9d43d7d688b9969a275df2a20e937370bf20414116ec8e5c7b08d869.exe
    "C:\Users\Admin\AppData\Local\Temp\6d19762d9d43d7d688b9969a275df2a20e937370bf20414116ec8e5c7b08d869.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPU9761.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPU9761.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr502002.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr502002.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku221778.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku221778.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPU9761.exe
    Filesize

    388KB

    MD5

    c2e8c723dba4de6658e8b136ce1197fe

    SHA1

    8421808249238a2706f0d5a1d120b8261b72db85

    SHA256

    04e19c12d48a08d2d828959fdb2d0540206628d5f235a838b9ad103c14d59266

    SHA512

    d6c1d4d8186bb9e9e335ee971d68d1809900f47d12cd49824280df6e74ccab74fb217c58508a5158b0f71f0569fafa3669017666b7b86daf0291ad5a62575d88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr502002.exe
    Filesize

    11KB

    MD5

    c9a83a3f2f1378376a56b4ae94089a1d

    SHA1

    beef6c7bebaf471842fc48839fd1fee1b5ff6172

    SHA256

    76a093e26e6d0e82716e8109a10231ce233dbc96c8874109475354982189434a

    SHA512

    524daae0325ba9521d4cb073038c2354f8afff6b22f07591d5ba2bbebd805fad5e19582e59424ae43ab7e838a3dfdb0c0d20c8cf7e420a66f91d0baa03e05e2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku221778.exe
    Filesize

    354KB

    MD5

    8abe68306473996322d8be7a30b0dcaf

    SHA1

    7dd9fbb21548f8886f51ca93fdafd08fdb52a20d

    SHA256

    d641e5e659603c1bccbb69b71bf3f7955bdec4c7ae3b9ac0b5e28f034be8b9ff

    SHA512

    e5eec6372ae0dd4d624ccf1d41847c650e9ef3dd44bf0c118452cf3c3e926886272e6edf36a0630499b5253d4eda30c4e1b9685ac311aad8749aa1a1798b705a

    Download Submit

  • memory/1488-14-0x00007FFD6EB03000-0x00007FFD6EB05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1488-15-0x0000000000320000-0x000000000032A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1488-16-0x00007FFD6EB03000-0x00007FFD6EB05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4456-62-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-50-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-24-0x0000000007190000-0x00000000071D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4456-30-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-38-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-88-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-86-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-84-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-82-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-80-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-78-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-74-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-72-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-70-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-68-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-66-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-22-0x0000000004AE0000-0x0000000004B26000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4456-60-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-58-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-56-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-55-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-23-0x0000000007310000-0x00000000078B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4456-48-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-46-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-44-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-42-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-36-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-34-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-32-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-76-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-64-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-52-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-40-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-28-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-26-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-25-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4456-931-0x00000000079C0000-0x0000000007FD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4456-932-0x0000000007FE0000-0x00000000080EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4456-933-0x00000000080F0000-0x0000000008102000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4456-934-0x0000000008110000-0x000000000814C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4456-935-0x0000000008250000-0x000000000829C000-memory.dmp

    Filesize

    304KB

    Download