Overview

overview

10

Static

static

3

b4e97b8e39...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe

  • Size

    530KB

  • MD5

    ffcc9836a7bb7702604cf7aaab727e1e

  • SHA1

    c605e352705e52c218e979a91660ca3f1b7bada0

  • SHA256

    b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801

  • SHA512

    b33b1889ef2625e34190154923e3b0faf20f5bf3b7693e01f7a06d7ecb3dabdeefe259bfcc8fa465a1fd7c5ab2549c19723f822427448eccf7c7b031d3dafed7

  • SSDEEP

    12288:QMrfy90xhizLG5jP9z0nkiiBm7q0nEK5p4IE5/qS8wF8vTGh:fyQizLSxUDWAEKEJ5xab4

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe
    "C:\Users\Admin\AppData\Local\Temp\b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifD6386.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifD6386.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791106.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791106.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3452
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881258.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881258.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifD6386.exe
    Filesize

    388KB

    MD5

    ef448866808d51c688fb1ae61f6addc4

    SHA1

    657d99fe238dbc2f8475850c8114a3c5274482e2

    SHA256

    c6391ec36f12c2f40888b29afbe9d9ec388e93bfd45aafe6e614021b6f8bdf34

    SHA512

    26d5705d15dc374d2b62e1ac7fe9cc4f0fb220c031414b656fcb0cf18972d8e58fb08fa72ee9314ca7161cc7f1e032c7813d30663260fdc31abfa2be236ae13c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791106.exe
    Filesize

    12KB

    MD5

    fa5371a607a025064ccb0c8a5a521bb4

    SHA1

    f86c50ee2fada9610874c0fd28bcda835f1dce7e

    SHA256

    714bed24a85088c8e53b9de6affff93a9459d0967a484e8dbe55abd3fe90bbf7

    SHA512

    19412a96df5f8b09caad24afcae627f76c0a17c25c3cbad8987975cf87b20c103c1d09abe28cfe9fb6204ca91ff81dfae3752bbf941fec2821be48ad6af4c2b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881258.exe
    Filesize

    342KB

    MD5

    d6b1cc04b14760c7ddff357bd8da2952

    SHA1

    4544a71312168893c6ffa645071281e7b89193b7

    SHA256

    4c6012b73010c72859ab4086d7a2b055546abe9d6d3a6952d8d965ede7f8f704

    SHA512

    03bd5fbc13f7dd549ce6c2308ed6fe5f9596e433118c3fc2d01b8554d80cbd122787b5f5db23625548e5f65710823c7a2168b1b1e6d91a4b40fe7f97abe03795

    Download Submit

  • memory/2772-64-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-22-0x0000000004B60000-0x0000000004BA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2772-935-0x0000000008110000-0x000000000815C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2772-60-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-23-0x00000000071E0000-0x0000000007784000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2772-24-0x0000000004D50000-0x0000000004D94000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2772-26-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-38-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-88-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-86-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-62-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-82-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-58-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-78-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-76-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-74-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-72-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-68-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-66-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-934-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2772-84-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-933-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2772-80-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-56-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-54-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-52-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-50-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-48-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-46-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-44-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-42-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-36-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-34-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-32-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-30-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-28-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-70-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-40-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-25-0x0000000004D50000-0x0000000004D8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2772-931-0x00000000077C0000-0x0000000007DD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2772-932-0x0000000007E60000-0x0000000007F6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3452-16-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3452-14-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3452-15-0x0000000000E10000-0x0000000000E1A000-memory.dmp

    Filesize

    40KB

    Download