Overview

overview

10

Static

static

3

744414b50c...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    744414b50c123f4ac33617fb6df5089e03d332d6b9a657bdaf8a0a3d8dcf69de.exe

  • Size

    537KB

  • MD5

    f5562d7443b08e30a1ee75e4d73282a9

  • SHA1

    ef9358223c0a4a1fc00cfe94419d89eb4ce9a397

  • SHA256

    744414b50c123f4ac33617fb6df5089e03d332d6b9a657bdaf8a0a3d8dcf69de

  • SHA512

    eddd71f86184bff1ed53759429a04e3e55ae93d22e16e8e1f6f10b17d1aa789d5dc2c7a8e7605ed73c0a44e3f702f25e9d63defb82d94fb7046744e4b8db34b3

  • SSDEEP

    12288:CMr+y90rVWe5JUo7rdW473cSusrUTEHowfU70fHCQJ:4y8VWe5JB7rdHMRsrHIwc727J

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\744414b50c123f4ac33617fb6df5089e03d332d6b9a657bdaf8a0a3d8dcf69de.exe
    "C:\Users\Admin\AppData\Local\Temp\744414b50c123f4ac33617fb6df5089e03d332d6b9a657bdaf8a0a3d8dcf69de.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQv5740.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQv5740.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr783759.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr783759.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3016
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku466246.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku466246.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQv5740.exe
    Filesize

    395KB

    MD5

    6e58c2bda50f8e751b0e8b64aa46fe74

    SHA1

    040cc26d517a7cf0c3c5fb60ff98227dd597de1a

    SHA256

    961b402f2a414bdb6eba16ca23f207c9f07cbaae39a41c01d31fa991346c148d

    SHA512

    08c383a48506dabfe702ae304bc86d609a3e066dfd0151304930d1bc8bf82c4ee1d6f72e86d7ba200ec5da12696b349b8c135b91f8c808973619b94d94e24bf3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr783759.exe
    Filesize

    13KB

    MD5

    91a0f39851a625c7a142dd866de7e2d5

    SHA1

    b0712358920b2991d0201a1efdb6ccd5d1de82df

    SHA256

    7aa474077726ec54f428d13b8ca62be5314c347bda0b0cacf84182b9a86c7b3c

    SHA512

    0ebd21d69214dee4c44e9a43dc3839976927ef3a9a3946ffdcb216136f0bc8417d5f011575ef56d949cc9ed1748c3921d9da0bfa7400174436a320f0a9b7f0b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku466246.exe
    Filesize

    352KB

    MD5

    0759f827221c205aad82a5207f6d6dd9

    SHA1

    70bbfc7467b52814c3918a37ccbebf1808cd5d45

    SHA256

    3b2293bfe77da10c31d66bda4b22b577713b0400e4563c4ced8cde8a3588b58d

    SHA512

    ae9a73a44dff747a9200941b907a474ded85813c176943434edfb0106136603db907ad5f7054f0dd26657c3675a0ebcff2e04951d248c607c6b1e8515bd60b74

    Download Submit

  • memory/312-62-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-22-0x0000000002790000-0x00000000027D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/312-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/312-58-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-23-0x0000000004FA0000-0x0000000005544000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/312-24-0x0000000002870000-0x00000000028B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/312-80-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-88-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-86-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-84-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-60-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-78-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-54-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-74-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-72-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-70-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-68-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-66-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-64-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-934-0x0000000004F50000-0x0000000004F8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/312-82-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-933-0x0000000004F30000-0x0000000004F42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/312-76-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-52-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-50-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-48-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-46-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-42-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-40-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-38-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-36-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-34-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-32-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-30-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-56-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-44-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-28-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-26-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-25-0x0000000002870000-0x00000000028AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/312-931-0x0000000005550000-0x0000000005B68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/312-932-0x0000000005B70000-0x0000000005C7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3016-16-0x00007FFDCEBD3000-0x00007FFDCEBD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3016-14-0x00007FFDCEBD3000-0x00007FFDCEBD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3016-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp

    Filesize

    40KB

    Download