Overview

overview

10

Static

static

3

d1489cd8d8...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1489cd8d816756dfb192babc9debffa8d81208df83500d4e962b8419c07bdb7.exe

  • Size

    659KB

  • MD5

    7c52f0041ab2f87b43c4e263e4fd89e3

  • SHA1

    a68813a8f7f40e75e0757234e01ecda65da4f9af

  • SHA256

    d1489cd8d816756dfb192babc9debffa8d81208df83500d4e962b8419c07bdb7

  • SHA512

    0d6f761099cb6cfcd4ba74523ffdc60327715bdc01fc7d717c2e366417e7a1266703f4a578b33651a69431184854c0d1a5f7f7ca9a97c34e12a35f9bc41e8207

  • SSDEEP

    12288:4MrOy90e0CHa+LpdTkmDlotDrxeE7BGyjU17of5KVa//mVzEbaJ4A/E4:my0MndAlBQyjU1QAymVAbaJ434

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1489cd8d816756dfb192babc9debffa8d81208df83500d4e962b8419c07bdb7.exe
    "C:\Users\Admin\AppData\Local\Temp\d1489cd8d816756dfb192babc9debffa8d81208df83500d4e962b8419c07bdb7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un690051.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un690051.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1090.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1090.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1088
          4⤵
          • Program crash
          PID:908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5491.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5491.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:508
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1652 -ip 1652
    1⤵
      PID:4724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un690051.exe
      Filesize

      518KB

      MD5

      e66b2ae4062a0787e1af171a2638ef06

      SHA1

      12e54a0541e09879f6c9187590315660a01c746d

      SHA256

      fe3ee6b71b8f38e0237a4cda1aa46132dbcfd6d2be431ee96d31082972b0c248

      SHA512

      b65548a1b50c0ed3223f2515285f669ac55bedcda81f092500a1bcf546f8bc3844263caee580f05e6c76bf51af00370c76bf92846a11802814645557da04af00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1090.exe
      Filesize

      376KB

      MD5

      d30541dcf9634d3500361c4e7c82ea9c

      SHA1

      a3cc77a3642bf9d5acdefdd779fd7975a796d81f

      SHA256

      eca91ecf41e821240a12e6ee8e844e551191566651e376b80e7f3608a1f382fe

      SHA512

      8047437db4c77b4c15171752d5dd5ebfadeca5fcb164d10a850824015fcc29f0c49faf844392c6a98eeaedfd7be2405cf7441d2e304cabb4a20a9d1893d1f27c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5491.exe
      Filesize

      434KB

      MD5

      07c4895f4f37864079bf1a12f619060b

      SHA1

      86710b80ac3e8bf415402c763a7a11ba8e953d71

      SHA256

      5e54efbae2067cac9801fadae706e1af9f597f6a7b9f967b5acf78a93678eeb2

      SHA512

      3e24e25ac9ef43666ebb9181010500265fb46b22a77c1d5d9060be58082fe19661137cc53cab4418d5c5a58ae3a6bfe89148154c1535f30e63f77e15046e331e

      Download Submit

    • memory/508-90-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-94-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-970-0x0000000005890000-0x000000000599A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/508-969-0x0000000005240000-0x0000000005858000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/508-74-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-79-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-80-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-82-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-84-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-88-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-972-0x00000000059F0000-0x0000000005A2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/508-973-0x0000000005B40000-0x0000000005B8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/508-92-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-971-0x00000000059D0000-0x00000000059E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/508-96-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-63-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-64-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-66-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-76-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-86-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-70-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-72-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-68-0x0000000004B90000-0x0000000004BCF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/508-62-0x0000000004B90000-0x0000000004BD4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/508-61-0x0000000002670000-0x00000000026B6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1652-43-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-55-0x0000000000400000-0x00000000005A3000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1652-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1652-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1652-51-0x0000000000630000-0x000000000065D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1652-50-0x0000000000700000-0x0000000000800000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1652-25-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-27-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-29-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-31-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-33-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-23-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-35-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-37-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-39-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-41-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-45-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-48-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-49-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-22-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-21-0x00000000024F0000-0x0000000002508000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1652-20-0x0000000004C20000-0x00000000051C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1652-19-0x00000000009A0000-0x00000000009BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1652-18-0x0000000000400000-0x00000000005A3000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1652-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1652-16-0x0000000000630000-0x000000000065D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1652-15-0x0000000000700000-0x0000000000800000-memory.dmp

      Filesize

      1024KB

      Download