Overview

overview

10

Static

static

3

220158787a...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    220158787abd73059f79b912333a398027c9420aab2f19021a2b35e9c8a9c5fc.exe

  • Size

    533KB

  • MD5

    373e54795583d569d5a51e567ceeea08

  • SHA1

    28a70dd7958f5deaad0c0edcafd0ddae34ae15b2

  • SHA256

    220158787abd73059f79b912333a398027c9420aab2f19021a2b35e9c8a9c5fc

  • SHA512

    ad1b110f58b054bbe51b209c81fb25b223258224b730fbe772fe189ca41b6092fedb4e6369baf8798dde0592ccf3da0492242b7b280695ca7009dc1f8141455c

  • SSDEEP

    12288:IMrgy90QtRlIj47i2m3tXDxYGJzAhwVi4htnGmWcZ:oyhj7+3tXKGJM6VXhtZ

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\220158787abd73059f79b912333a398027c9420aab2f19021a2b35e9c8a9c5fc.exe
    "C:\Users\Admin\AppData\Local\Temp\220158787abd73059f79b912333a398027c9420aab2f19021a2b35e9c8a9c5fc.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOw0782.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOw0782.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr563305.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr563305.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku541885.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku541885.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2972
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOw0782.exe
    Filesize

    379KB

    MD5

    6d0e2329ac914d22dc9277fa1a9bab9f

    SHA1

    ad26f8af32a53aa8fd389c7e3717ccdc1ea1c173

    SHA256

    3bf8a3e7393e5d14487dc774c7a12f8c39cdec09478b1532258ce3f1584216b9

    SHA512

    370523c4a8bfde70e140c88cfc5c6ccc288b10d3a39f5c956b174d1814d252c4d5e21ae4480abe0e9a7ffb0a00b26486700809e584246bef22b23430aba846b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr563305.exe
    Filesize

    11KB

    MD5

    20fe80eac92dea9a65a138cf9ccc0051

    SHA1

    2fdf2a5c12982e3fcc8be61e8db5a295c914863a

    SHA256

    f31d8a973f8025f3a9483dc64c49131ccd7c861c6160d9ef77e57005ab8586d8

    SHA512

    52a0a150efe3844e5b956e9a2fdbf177a2fce954fa6db38cbc8d778495274a12dcf6b94d300f67248e0ca9a21005ea2f22e18f6630f3870a1a20b2f26d2b736e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku541885.exe
    Filesize

    295KB

    MD5

    f0ca293ce230f99f388a16e96d274315

    SHA1

    53f2b97daf7540955d78b4ed6a5bca55dbddb331

    SHA256

    fc4e0c2b22aec416fda9b9b5da478688e295b816a34837d6e4655f55677fabde

    SHA512

    78e914867f59a57ebeb62067aadb61edd775a80ea0cdc7a2f3ee20d4e5a954460641ab29726bfd47f6368b87b734efa26c9570566ab81884f7c98523040bb1b5

    Download Submit

  • memory/2972-62-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-22-0x0000000002600000-0x0000000002646000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2972-935-0x0000000005B80000-0x0000000005BCC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2972-58-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-23-0x0000000004BF0000-0x0000000005194000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2972-24-0x00000000051A0000-0x00000000051E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2972-38-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-88-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-86-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-82-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-60-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-78-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-56-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-74-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-72-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-70-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-68-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-66-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-64-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-934-0x0000000005A30000-0x0000000005A6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2972-80-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-933-0x0000000005A10000-0x0000000005A22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2972-76-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-54-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-52-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-50-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-48-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-46-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-44-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-42-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-40-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-36-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-34-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-32-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-30-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-84-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-28-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-26-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-25-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2972-931-0x0000000005230000-0x0000000005848000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2972-932-0x00000000058D0000-0x00000000059DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4468-16-0x00007FFFDCF73000-0x00007FFFDCF75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4468-14-0x00007FFFDCF73000-0x00007FFFDCF75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4468-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp

    Filesize

    40KB

    Download