Overview

overview

10

Static

static

3

95d69bd406...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95d69bd4060f152d8f73e81419f868d203c2561f900a62ec5abe158f43c49efc.exe

  • Size

    700KB

  • MD5

    fedfd81e5b8bba4b330f5746747c194d

  • SHA1

    b66954d5fd3e10d634a2b0eaf66d51e0a3b6ffe2

  • SHA256

    95d69bd4060f152d8f73e81419f868d203c2561f900a62ec5abe158f43c49efc

  • SHA512

    50bcae607fe8f7db5fcf89c4272bae09e8794e4e5e98392aff5f6e798de44fd56209d190124b50c434cec4a8bdb911e6c9ee473a67bc3d5c1ac799c008f7bda3

  • SSDEEP

    12288:TMrZy90bwi++S1nUcP33ZC9DMJcA6GNTqlNTQ4pD1tu606OQ3X:qyR1nU03p6Eq/lD1U83X

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95d69bd4060f152d8f73e81419f868d203c2561f900a62ec5abe158f43c49efc.exe
    "C:\Users\Admin\AppData\Local\Temp\95d69bd4060f152d8f73e81419f868d203c2561f900a62ec5abe158f43c49efc.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660355.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660355.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5437.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5437.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1080
          4⤵
          • Program crash
          PID:376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4448
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3052 -ip 3052
    1⤵
      PID:4316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660355.exe
      Filesize

      558KB

      MD5

      03bf700d7d6d00907d1f4ced2c946041

      SHA1

      af368e1b9dbbe76cda3bae0841a75885470375ab

      SHA256

      00e9e38caaf02e2c40c55f13de7235d6e80be34583fafae016eff03721b1959b

      SHA512

      b857cac06e680375b87820b95503d99e6af0d91b1766ca984abca80c525060124676fc2d6735b7bea7df9ee0494dbfd2313dfdc0a4d1362858929d383699fb34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5437.exe
      Filesize

      307KB

      MD5

      47ccbbcd85f9fd75930305b4180b4c78

      SHA1

      07c51a48397a14e9a0ca86a7425f579d2356e6af

      SHA256

      f13cddb8bb036d8eb9b8e0183d54577b9d026abf3f37aa7e33309109637e9634

      SHA512

      2e5763680046cdcad8ac8dd9e744d2ffeb37a5be66365bb3709d2410688103236866a8253db5997f11d24b538b870371934fb3eb9f3f8612f6c426d3b1c37ace

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe
      Filesize

      365KB

      MD5

      ac36d52f4b1c397efbda5f64d2fd5a90

      SHA1

      754c5ca6f4d3e0f47c480e9272a9c772d63b302f

      SHA256

      e35c12d7ba2dea8a8834223791be8336ce6d9b08f000594a59e08cca682add52

      SHA512

      68f5ce3cd7fb2af80c8d528ad86f0ded094c8dd6ebae92cece04cd8cf676cf93a7b44f4d060e22498757a84c717efd7fba61cf4e31c9bb006280992c69e6ed31

      Download Submit

    • memory/3052-15-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3052-16-0x0000000000910000-0x000000000093D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3052-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3052-18-0x0000000000400000-0x000000000070F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3052-19-0x0000000002760000-0x000000000277A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3052-20-0x0000000004EA0000-0x0000000005444000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3052-21-0x0000000004DF0000-0x0000000004E08000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3052-23-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-22-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-49-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-47-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-45-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-43-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-41-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-39-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-37-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-35-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-33-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-31-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-26-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-29-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-27-0x0000000004DF0000-0x0000000004E02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3052-50-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3052-51-0x0000000000910000-0x000000000093D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3052-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3052-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3052-55-0x0000000000400000-0x000000000070F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4448-61-0x0000000002820000-0x0000000002866000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4448-62-0x0000000004D20000-0x0000000004D64000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4448-70-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-78-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-96-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-94-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-92-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-90-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-88-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-84-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-82-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-80-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-76-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-74-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-72-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-68-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-86-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-66-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-64-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-63-0x0000000004D20000-0x0000000004D5F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4448-969-0x0000000005450000-0x0000000005A68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4448-970-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4448-971-0x0000000005C30000-0x0000000005C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4448-972-0x0000000005C50000-0x0000000005C8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4448-973-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

      Filesize

      304KB

      Download