Overview

overview

10

Static

static

3

a4f3d38aec...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4f3d38aecd82fb4b3630f0dfed3fafb662a9790c67b22a099cd2cc8f6a64f88.exe

  • Size

    560KB

  • MD5

    07ea733394b0c1e1df24c5de750d2aa2

  • SHA1

    da500d69a5efd4e1c34d2422f7b5fa8fca0eea77

  • SHA256

    a4f3d38aecd82fb4b3630f0dfed3fafb662a9790c67b22a099cd2cc8f6a64f88

  • SHA512

    dedb3495fc430e843a87c42de3fc9f48940b1cd0f6319313bfa18cdcf006674b906473695c60af2238bc0cadd1fde85b0e0c6513d19f671791fd7eeef6dd1352

  • SSDEEP

    12288:SMrIy90MyNFgHlR9dNzaPLD/CK9EAxJPRAwGG7ozXlx:GypyTY9dNkLr9EAV3GmozXz

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4f3d38aecd82fb4b3630f0dfed3fafb662a9790c67b22a099cd2cc8f6a64f88.exe
    "C:\Users\Admin\AppData\Local\Temp\a4f3d38aecd82fb4b3630f0dfed3fafb662a9790c67b22a099cd2cc8f6a64f88.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziks7711.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziks7711.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr258691.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr258691.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku542077.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku542077.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2156
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziks7711.exe
    Filesize

    406KB

    MD5

    d42c913622ab316347852acc7b98bd1c

    SHA1

    356ec4b943e2c6598b5d36bd6208ecd7688c5174

    SHA256

    6a205725b65498b142adcb14f34a4c7a9d342e58a7de9e5eb038f7979d1bc3a2

    SHA512

    06ab67a89603be417137b2a67a5157c4783896bd8ece5cd4b08180d767daf2ab35ee129d38c967cb99d60fda189ced1b376a20ce6f1c8010a15959367db71f23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr258691.exe
    Filesize

    12KB

    MD5

    da9bdccaa1caadbaf7e6a4aef153a00d

    SHA1

    09366d66fd9a7bbc4b1b8ca08dccd4c38b498d45

    SHA256

    ce9312af8961b7c342d010b2ca0f88a534363d202884fe5de5788ed796c3b864

    SHA512

    d45419025afdcfe55383c86160982e3bc4211f0a0c83f92e53b1c5836c736f1cea3d53f8deaf512838dd273f6d4ead4560b23dfa3fa9f549d3cd057dff599f12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku542077.exe
    Filesize

    372KB

    MD5

    8e42f9d77a3daa8c532abfb3be41a671

    SHA1

    96530d52cae2df7be43fb6877990dace6c59734e

    SHA256

    1e6ee15a92ae3019ab40c76fac91894c377a8c2527215ee023ab7c1f467db99f

    SHA512

    76b178187004e39ffcd96022a303a533c9047cbd441d7bfaf723d3a039c240d4ab4da58aa7bc378fcd71d5946f0b117dc772d5d715aa990070cef44703f88b03

    Download Submit

  • memory/2156-78-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-22-0x00000000026D0000-0x0000000002716000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2156-935-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2156-74-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-23-0x0000000005040000-0x00000000055E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2156-24-0x0000000004F30000-0x0000000004F74000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2156-36-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-38-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-34-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-32-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-77-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-30-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-73-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-26-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-25-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-88-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-86-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-84-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-82-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-934-0x0000000005D90000-0x0000000005DCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2156-80-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-933-0x0000000005D70000-0x0000000005D82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2156-28-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-70-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-68-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-66-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-64-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-63-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-60-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-59-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-56-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-55-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-52-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-50-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-48-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-46-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-44-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-42-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-40-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2156-931-0x00000000055F0000-0x0000000005C08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2156-932-0x0000000005C30000-0x0000000005D3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3128-16-0x00007FFA204A3000-0x00007FFA204A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3128-14-0x00007FFA204A3000-0x00007FFA204A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3128-15-0x0000000000050000-0x000000000005A000-memory.dmp

    Filesize

    40KB

    Download