Overview

overview

10

Static

static

3

89bafa3ab3...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89bafa3ab3e46c3cd892d45969d0cf489fb61391ffaca45700d289764a10b504.exe

  • Size

    531KB

  • MD5

    bffe70b3ecf5c24cd2ec0c91ecab3422

  • SHA1

    3a6aab8d98f9c191bf1d2fe5ae6208eac220a9b8

  • SHA256

    89bafa3ab3e46c3cd892d45969d0cf489fb61391ffaca45700d289764a10b504

  • SHA512

    32521a4d68ca09b4f5ac0ffedb3abd28240245c4f4f61b0b91793f7939d7ae9b7cb99ef223a918d0542896b9c22934888346f9495dd31fa9aa6e2ebe1f21de5d

  • SSDEEP

    12288:dMr2y90TcB7r9SzPntpRA87yOt3Vu3BzDGtzrjGQaqBPEkjGmB3HATpwEDR:fyYi7xGjvPfuxqHSQpZTFHATpvd

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89bafa3ab3e46c3cd892d45969d0cf489fb61391ffaca45700d289764a10b504.exe
    "C:\Users\Admin\AppData\Local\Temp\89bafa3ab3e46c3cd892d45969d0cf489fb61391ffaca45700d289764a10b504.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqj7578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqj7578.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr910997.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr910997.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku440871.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku440871.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3104
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqj7578.exe
    Filesize

    388KB

    MD5

    ede5786566f7827ab4cfeb1fdf70a8af

    SHA1

    66ec39972e77ef0d5d55fa56e2cf9de35d16cfe6

    SHA256

    4782148e01ea0bfb09179fedfc97d73cbf7aa905611eb34d45bec6907344b2a1

    SHA512

    7e047f8d1aea810ae541069a3f34df698f207a255e4d54de8ad1aea45a8626b6c7fae8539415527bb546e4352e27fa3c06fe0039758013b662567ea50fb01306

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr910997.exe
    Filesize

    11KB

    MD5

    358797598278bc3cfae06b21e2c5f516

    SHA1

    202ca79189c6a5c63b573673e39c1b703a6fff2f

    SHA256

    980256c27e7663e2562edb2b916697ecf59b4888a2a09510df50093ffe9fba86

    SHA512

    a07c977dfac2d87b9d69387bb06b9159fd81cbcddbe8f2d649e4ea9e52434597440bfc1e049890cc08b793b30fe84708ab0890db66f89dc73794aeb6e94e3f86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku440871.exe
    Filesize

    354KB

    MD5

    0557576895e4d8a29705153454f3c2e3

    SHA1

    d41d5e51b14e59f6f5248ddacb17e8e5cf19b598

    SHA256

    67a1acd76cd1807a8bbb7f7f10e92f09a545dc710a26e598601a1041c8404d8b

    SHA512

    a3d7bbcdf8585920f36d0e7ec65ef778b4d53bcf6d3e4f2aeacf16b6b97b8b6e82ec220a0ad437399ef547a278045a6787ac4d33d3e35f98b705534d4679bac2

    Download Submit

  • memory/3104-64-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-22-0x0000000004D60000-0x0000000004DA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3104-935-0x0000000008110000-0x000000000815C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3104-60-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-23-0x0000000007220000-0x00000000077C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3104-24-0x00000000071A0000-0x00000000071E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3104-34-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-38-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-88-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-87-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-62-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-82-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-58-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-78-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-76-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-72-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-70-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-69-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-66-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-934-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3104-84-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-933-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3104-80-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-56-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-54-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-50-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-48-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-46-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-44-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-42-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-40-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-36-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-74-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-52-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-32-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-30-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-28-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-26-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-25-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3104-931-0x00000000077D0000-0x0000000007DE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3104-932-0x0000000007E60000-0x0000000007F6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4608-16-0x00007FFC6DCE3000-0x00007FFC6DCE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4608-14-0x00007FFC6DCE3000-0x00007FFC6DCE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4608-15-0x0000000000830000-0x000000000083A000-memory.dmp

    Filesize

    40KB

    Download