Overview

overview

10

Static

static

3

4720910705...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47209107050f21c1b6a73bcf4226eba5cf1a450895544dc088e26d5b41736d77.exe

  • Size

    537KB

  • MD5

    4653d70120ea8bc914deaabae6f182f1

  • SHA1

    b656f6e33599a740b571903875cb1028b2aeadcb

  • SHA256

    47209107050f21c1b6a73bcf4226eba5cf1a450895544dc088e26d5b41736d77

  • SHA512

    b2417bfc3924bfa2dc3721f484a8cc67ee71b3e93b636143888560a2fc1f02eb9ca85906b7615a63a20bd24fc152f207de0cd0ba50e6dc5cd5ecde07789a6845

  • SSDEEP

    12288:MMrXy90/rNRxDrDgP4JGMYUL91GD/YHvUBw3a:TyU9r+41LPI/YHMBw3a

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47209107050f21c1b6a73bcf4226eba5cf1a450895544dc088e26d5b41736d77.exe
    "C:\Users\Admin\AppData\Local\Temp\47209107050f21c1b6a73bcf4226eba5cf1a450895544dc088e26d5b41736d77.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDF7623.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDF7623.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr966451.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr966451.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1204
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku383573.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku383573.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDF7623.exe
    Filesize

    383KB

    MD5

    65fddf1df20dfebc7dbd6d51dd6eba04

    SHA1

    57a3ac69956bc738c578d15fe3cb0e21ac1232a4

    SHA256

    ad4edcab9c9aaa441a61a9d80cf8c56c0ed74a748d913696aca129044c301f15

    SHA512

    d5c1be6f9a4ab550b63b4300892b8f805cc0d2b76e3c8159220e11b2f718ae2471114947201113c85fd0ca540145d9f6c036ec71f40ed08897364b2fd0f7f58b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr966451.exe
    Filesize

    13KB

    MD5

    4d4a6068af3e5deeba2efb8d7af21076

    SHA1

    5941e1f7071746e8f6ec59297fd526dde81e5151

    SHA256

    79eb67070ddbf9102662aca70b8a10b74dd86fbf6ab1b01099e65885208c2e63

    SHA512

    d216aeabed83cae231ebe914370df5f565add34e5e7317a010b0bb304a81ba20a1862334a27a6b7e5a711e934019500c9d10dcd041f7ffeeb657f37fc0365454

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku383573.exe
    Filesize

    311KB

    MD5

    aebe0c37ebecec86554f6fed2aba2e17

    SHA1

    ead2cabc1099012936e5b73f6765d1559191297d

    SHA256

    b24ddf3c2cd06e7a5621ec36941d6aaec5776c3526d04447777a7263080f07da

    SHA512

    e442251f565c2c884e86170a9ad1b23b22af486d64681ad852074e137747bf8bde0351ae501e4c2eeb7313cc52c879cbf24a64429fc873ad899b15b672e3ef50

    Download Submit

  • memory/1204-14-0x00007FF8164C3000-0x00007FF8164C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1204-15-0x0000000000A70000-0x0000000000A7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1204-16-0x00007FF8164C3000-0x00007FF8164C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1612-64-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-52-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-24-0x00000000050F0000-0x0000000005134000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1612-28-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-38-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-88-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-86-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-84-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-82-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-80-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-76-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-74-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-72-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-70-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-68-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-66-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-22-0x0000000004AA0000-0x0000000004AE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1612-62-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-60-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-56-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-54-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-23-0x0000000004B40000-0x00000000050E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1612-50-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-48-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-46-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-44-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-40-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-36-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-34-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-32-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-30-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-78-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-58-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-42-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-26-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-25-0x00000000050F0000-0x000000000512F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1612-931-0x0000000005130000-0x0000000005748000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1612-932-0x0000000005790000-0x000000000589A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1612-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1612-934-0x00000000058F0000-0x000000000592C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1612-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

    Filesize

    304KB

    Download