Overview

overview

10

Static

static

3

f2c707cbf0...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2c707cbf0116470339dfd798dc5f607cc3e1b6341927c63ff2a193fc6173889.exe

  • Size

    534KB

  • MD5

    68bbce5edde7ba4a1829954909e9592c

  • SHA1

    ae3ca371e3b79dda0c5bb2cfdb8f31d580050de6

  • SHA256

    f2c707cbf0116470339dfd798dc5f607cc3e1b6341927c63ff2a193fc6173889

  • SHA512

    0ce8b412b6d2744f8b206cc10cbe53666ae1950f1e83ff710abdf20ceffd690acd227b2d2840110d9497a0629fe03e628bbd18c3aeadbb345eb1ca60fb53b170

  • SSDEEP

    12288:LMrcy90DIee5+HJn5zTcMuvGbmcyDzVMZZgdRrAp5h1xpVYcJEF:TyK9zXcHfc8xZHs5h1xpqNF

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2c707cbf0116470339dfd798dc5f607cc3e1b6341927c63ff2a193fc6173889.exe
    "C:\Users\Admin\AppData\Local\Temp\f2c707cbf0116470339dfd798dc5f607cc3e1b6341927c63ff2a193fc6173889.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimK2855.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimK2855.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr001232.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr001232.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:228
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku878861.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku878861.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimK2855.exe
    Filesize

    380KB

    MD5

    0a166a07bc76231fb4b259fbd7e0c252

    SHA1

    35900256347f27765052726085a9f6a62375bf3e

    SHA256

    9265bb76e28217f5f230f70b8502c6313ede8347a524b66c37a4a0a4a762c3ab

    SHA512

    e2a7b15b0da6263f793ea23d739cb9bcd8dfd2f6efaec85a27c27759c24da946b5337df52bad3610c973ec669a4cd165ae727833c43e6c5a17b09c2723d9a2d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr001232.exe
    Filesize

    15KB

    MD5

    3e8372e2202e2d4afd577eae63e44b84

    SHA1

    e23a2518dac18a329ac851d26f032fd9d3b45211

    SHA256

    cae64b2fc820efef0e2c356e626f9b3362f9e57826b19b7f378ce739356f9d0a

    SHA512

    1cfb37dfe755518d1ecb906ee332fee3391b87f70215faaf9a553e5a6e47ae4f662fe1748cd0713e803d8fdc2ffb8615e2f24648f42538a881c0d782e0af242a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku878861.exe
    Filesize

    295KB

    MD5

    4844d303bf19ce384e01a855dcd9d9a4

    SHA1

    1a3f046d05f13fddb19f3be42cfbaabe7ff995ef

    SHA256

    16c86d1f5089adcdbac9d5b9091b302acfa399d4fe3ac8b7c2337023031a7636

    SHA512

    245e1eb4188bd33f8a7d324388f4cc92dc32560f4e6d83e7b9945d0892d579f379d2f144774a0f912c2083c7e5ce4440ff783e83e0fb12a73537de45fd2d9a6c

    Download Submit

  • memory/228-14-0x00007FFA13643000-0x00007FFA13645000-memory.dmp

    Filesize

    8KB

    Download

  • memory/228-15-0x0000000000A00000-0x0000000000A0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/228-16-0x00007FFA13643000-0x00007FFA13645000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3708-62-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-48-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-24-0x0000000004AF0000-0x0000000004B34000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3708-30-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-38-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-88-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-86-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-82-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-80-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-78-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-76-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-74-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-72-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-70-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-68-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-64-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-22-0x0000000002320000-0x0000000002366000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3708-60-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-58-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-54-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-50-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-23-0x0000000004C10000-0x00000000051B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3708-46-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-45-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-40-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-36-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-34-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-32-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-84-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-66-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-56-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-52-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-42-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-28-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-26-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-25-0x0000000004AF0000-0x0000000004B2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3708-931-0x00000000052C0000-0x00000000058D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3708-932-0x00000000058E0000-0x00000000059EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3708-933-0x0000000005A10000-0x0000000005A22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3708-934-0x0000000005A30000-0x0000000005A6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3708-935-0x0000000005B80000-0x0000000005BCC000-memory.dmp

    Filesize

    304KB

    Download