Overview

overview

10

Static

static

3

fc7e71a01a...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc7e71a01a327164c62eac8d44b5fa19234bd3602ff7e8bbad8e4c74b23c3599.exe

  • Size

    530KB

  • MD5

    715d8adf328ff8b2d8f66290e35b1867

  • SHA1

    afc9326cc23429098c7b71dfeeef769fec05b607

  • SHA256

    fc7e71a01a327164c62eac8d44b5fa19234bd3602ff7e8bbad8e4c74b23c3599

  • SHA512

    62a2c31b9ff16f5d5a994dc33cfd69ef68a8abb59d1f922d9b5fcad8d177dcbb087eec43aa943c9d16784dc48b964090bb483ef723784cc379a3ae45f5463c99

  • SSDEEP

    12288:nMrYy90+rdUm/vpB6VNK1DIaKJTQhqBm/yFEWTkpl:HybdVD6VQ1DIDlQgbBal

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc7e71a01a327164c62eac8d44b5fa19234bd3602ff7e8bbad8e4c74b23c3599.exe
    "C:\Users\Admin\AppData\Local\Temp\fc7e71a01a327164c62eac8d44b5fa19234bd3602ff7e8bbad8e4c74b23c3599.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPx2882.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPx2882.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968870.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968870.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku473438.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku473438.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPx2882.exe
    Filesize

    388KB

    MD5

    3dd9a7e17d9c4d408c643b861f24cdbe

    SHA1

    8d528b1b185295e777e5bab10a206261ebd18702

    SHA256

    8f211fc54b084429aa619120122749b313b6b528edfd4df9799566ee50da288e

    SHA512

    6dd639ac39ddbdd7202492a9b2e4dcfa37d20edaa294de63b5f6c8e981f6920ff5f17ca75dec871a625ff7c5ee85b0601e73f753c2116581466223acf01e7b80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968870.exe
    Filesize

    11KB

    MD5

    2869a7f906ac9e2eb01ed4812603ae36

    SHA1

    9996c1e205a50999d89d8d9486e2042573dcb5b0

    SHA256

    2b977e2eb48f920c7501959d3458bb768d44a4ac58e54519f2daa527270a6965

    SHA512

    f1f07cf36dad5d959c5451a3a846a7b737663ffee7c611524bed89fc3f288375f2bf2e56e039cc5155be05460991fed955db3a514c2692c5a7d70a2ee58b13c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku473438.exe
    Filesize

    354KB

    MD5

    dcd20d71fe2ea84acf5743efa501d886

    SHA1

    3d80a9b120ef3d66fa84f66cd0e0ef6e681b9ccf

    SHA256

    ebabe0ddf5432cb081986be7df31b847901a819b509c9b4ee8b93221c4c2fa2b

    SHA512

    d81e821dbdcea7f86971daf71f18fe7684f428930dbe3dc87be68f646eae4335f0992e2e181de37cb9ff5c0a398d0b1ca58ed81b3dba096185a21f3fa001c976

    Download Submit

  • memory/384-14-0x00007FFCA4F93000-0x00007FFCA4F95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/384-15-0x0000000000F70000-0x0000000000F7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/384-16-0x00007FFCA4F93000-0x00007FFCA4F95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2124-62-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-50-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-24-0x00000000071A0000-0x00000000071E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2124-36-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-88-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-86-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-84-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-80-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-78-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-77-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-74-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-72-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-70-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-68-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-66-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-64-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-22-0x0000000004B60000-0x0000000004BA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2124-58-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-56-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-54-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-52-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-23-0x0000000007320000-0x00000000078C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2124-48-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-46-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-44-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-42-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-40-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-38-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-34-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-32-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-82-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-30-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-28-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-60-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-26-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-25-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2124-931-0x00000000078D0000-0x0000000007EE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2124-932-0x0000000007EF0000-0x0000000007FFA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2124-933-0x00000000072B0000-0x00000000072C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2124-934-0x00000000072D0000-0x000000000730C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2124-935-0x0000000008110000-0x000000000815C000-memory.dmp

    Filesize

    304KB

    Download