Overview

overview

10

Static

static

3

5955964c92...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5955964c92f2cd7def8723d5904d3944208af0410ba7e85269b6952f4d4903eb.exe

  • Size

    529KB

  • MD5

    322383a9447a8ceb07fec4739003b0b7

  • SHA1

    4f94ba9eab7b02dffd6b580f88d42552b25c146b

  • SHA256

    5955964c92f2cd7def8723d5904d3944208af0410ba7e85269b6952f4d4903eb

  • SHA512

    c7a62c0fb0395ecda77fdd96556c4dc584dfc3494ec10ba6bcf3f46fa706de7c8d54be694be8b0b3c11282c66a0a271189529df0cc135df1cfd064b990eb40e5

  • SSDEEP

    12288:aMrsy90m0JOras0+hvrhLQhV2+fHlpLcZkAOA:6ykJtwhv9kZrLcaAV

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5955964c92f2cd7def8723d5904d3944208af0410ba7e85269b6952f4d4903eb.exe
    "C:\Users\Admin\AppData\Local\Temp\5955964c92f2cd7def8723d5904d3944208af0410ba7e85269b6952f4d4903eb.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVQ2385.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVQ2385.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr681890.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr681890.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku043617.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku043617.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVQ2385.exe
    Filesize

    388KB

    MD5

    576c09c0cfbb77c89a39af946a55632d

    SHA1

    8c656ce90327133560c130918eed7acdf3247e46

    SHA256

    8d0f17947d2b5004c6948d235456efac6218b2f2384abdbe963754ede01a4b7f

    SHA512

    02a61272e6bd667e4727503e62f3c3c9f5a8af58f1b8cb0d78dedb047b98e1335cca110a6e536fb21667a31d59b9848d77c040e46fde7d6d96d1893259452e19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr681890.exe
    Filesize

    12KB

    MD5

    153bb8cc10de77bdfb1f6a60f9e16200

    SHA1

    55d3a2a7e72bf2d689bffa4ca424ee89014014c5

    SHA256

    d53f7147c623c601509ca17f311af5eea2f5179ff07912c4092d726029f3ec8a

    SHA512

    2057a8e979d5350b06e2d342a90a7e8f88f7274e3427a58474bd8fd5326d7f8ad6319e2de1be73d28e6902ca4135b8ff9b9ded08d9c164a7af34c71935e6e1cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku043617.exe
    Filesize

    434KB

    MD5

    6e2aa772fbfeebcdc88998382404adb3

    SHA1

    62af1fc20de3d7997cc29db80a3ee0a80873c286

    SHA256

    42664a97a85e1384c01c87d31fa93854f74887e15f7cfcb5945392d5af8f0ecd

    SHA512

    520c54d4c9c75b2e60012480ad5ecd065d942252c421261692aa77d5ed44cde012b1870f24f6f01e1a32af249b8c7ba7620794feca91eb2ff8a5cc96ddfe5216

    Download Submit

  • memory/956-14-0x00007FFE847E3000-0x00007FFE847E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/956-15-0x0000000000500000-0x000000000050A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/956-16-0x00007FFE847E3000-0x00007FFE847E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3272-64-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-54-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-24-0x0000000004E40000-0x0000000004E84000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3272-26-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-70-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-88-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-86-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-84-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-82-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-80-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-78-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-76-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-74-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-72-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-68-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-66-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-22-0x0000000004D80000-0x0000000004DC6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3272-62-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-60-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-58-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-56-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-23-0x0000000004EF0000-0x0000000005494000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3272-52-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-50-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-48-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-46-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-44-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-42-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-40-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-38-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-34-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-32-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-30-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-28-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-36-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3272-931-0x00000000054A0000-0x0000000005AB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3272-932-0x0000000005B00000-0x0000000005C0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3272-933-0x0000000005C40000-0x0000000005C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3272-934-0x0000000005C60000-0x0000000005C9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3272-935-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

    Filesize

    304KB

    Download