Overview

overview

10

Static

static

3

63c1750c52...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63c1750c52a5aba4e4f06da0215f111aac029155274b412588f3b86728725d65.exe

  • Size

    560KB

  • MD5

    24a8e98a7e10a2312697143ec276c2cd

  • SHA1

    db4175ad094d1ca247107941cc83ca8c7fa56083

  • SHA256

    63c1750c52a5aba4e4f06da0215f111aac029155274b412588f3b86728725d65

  • SHA512

    bd5d102b46ab5b1f6697655c3c61d468a64c8ac8a4c3e94896b7e7f5b1c7152257b53e5d976c472fe2939bc65a32123e791944c0063593e8c228b3dcc7a22c1b

  • SSDEEP

    12288:VMrIy90ZDBh+MrLJIKaWvA+Sfx8ElxJqfx2QOFGXOe:hy4n+0rfC8El+fx2QOcL

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63c1750c52a5aba4e4f06da0215f111aac029155274b412588f3b86728725d65.exe
    "C:\Users\Admin\AppData\Local\Temp\63c1750c52a5aba4e4f06da0215f111aac029155274b412588f3b86728725d65.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM0191.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM0191.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr774281.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr774281.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku442956.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku442956.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM0191.exe
    Filesize

    406KB

    MD5

    4a3d4403f075655c242f9dba34e683e0

    SHA1

    89dc33c63a2c1c4dfb448bc65fd7ff5391720cb8

    SHA256

    8a4a42dbd02dd26763a8e2a1dbf224ded355f1195a4dbc2681813b2df35589c2

    SHA512

    44e3211957feb6070ea6ae0282477a55a89fb01ba5c8ab4224475a704a105c4c38dd81aa15b3904025d3880313776c10af8ba34a8a83bf2cb90d08081536046c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr774281.exe
    Filesize

    12KB

    MD5

    2bcc070dc52f97c3b135f57a44d67150

    SHA1

    6810763bb99c524659a2b65064b9ccc830d5b886

    SHA256

    c22847a348d8baaadb479e0e89f50feda557526a5e07573aa8977a2b55e2fecc

    SHA512

    b7f7d72b9600082f38c57e7b2c4298c8f7d03c9851e834fc73e29306d5ea6759efc419a204be434a5d4466d49a6c7aa1b8b8e1ae8ce112d57d438647d90d28f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku442956.exe
    Filesize

    372KB

    MD5

    5b872875f42160cce4617fbd35d71c5d

    SHA1

    d24c0374913afe483f994fa7753c51de66323ccb

    SHA256

    dfe261179812c792d668a39e49aa9a8fc88dadc5b73ff813fd299be453de2e99

    SHA512

    57d60930cf69473b503e9ecd21bf8c8249d0f42f09e53110270c244b80887e36e2c12a3a0b034733b6c2c341f737c591502df6f3a36a78803599834dde6e5b62

    Download Submit

  • memory/1772-14-0x00007FFDDE6E3000-0x00007FFDDE6E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1772-15-0x0000000000890000-0x000000000089A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1772-16-0x00007FFDDE6E3000-0x00007FFDDE6E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2348-68-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-58-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-24-0x0000000004DE0000-0x0000000004E24000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2348-28-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-26-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-25-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-40-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-88-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-86-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-84-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-82-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-78-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-76-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-74-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-72-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-70-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-22-0x00000000027C0000-0x0000000002806000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2348-66-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-64-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-62-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-60-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-23-0x0000000004FC0000-0x0000000005564000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2348-54-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-52-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-48-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-44-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-42-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-38-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-36-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-34-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-33-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-30-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-80-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-57-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-50-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-46-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2348-931-0x0000000005570000-0x0000000005B88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2348-932-0x0000000005B90000-0x0000000005C9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2348-933-0x0000000004F30000-0x0000000004F42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2348-934-0x0000000004F50000-0x0000000004F8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2348-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

    Filesize

    304KB

    Download