Overview

overview

10

Static

static

3

0df3b350b4...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0df3b350b419160d759f577879e00417f1ca24198357d656883a1b88d1bc2a43.exe

  • Size

    530KB

  • MD5

    a8725d27bf7b59a1ec0735209ff41f4b

  • SHA1

    0841c8aea28949a2a60d46efb125ac40b2965015

  • SHA256

    0df3b350b419160d759f577879e00417f1ca24198357d656883a1b88d1bc2a43

  • SHA512

    ddc6ed6bea17856eafb14f247fe2a934524fcd97540066c7577525ef6d985b1e4a7a01c4f275ecf0ebbd131ae5c69b1c149988f44dda20b54719f437d13fd733

  • SSDEEP

    12288:dMrky90n5a05+rd/0P9TpG111PV16jbfm:FygwR/0PdyvPV16jrm

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0df3b350b419160d759f577879e00417f1ca24198357d656883a1b88d1bc2a43.exe
    "C:\Users\Admin\AppData\Local\Temp\0df3b350b419160d759f577879e00417f1ca24198357d656883a1b88d1bc2a43.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZd5182.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZd5182.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr745615.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr745615.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku772156.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku772156.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZd5182.exe
    Filesize

    387KB

    MD5

    1b34f659beae4c8d5fd0ea7c698b855b

    SHA1

    51dfd69d7964bfae4d8410f7d8950c83b429394b

    SHA256

    0a610ccdad72f12e255c38b471179ee8afa0ee0ae3233636bd1dcb37205a3ffe

    SHA512

    217ba315d34469be6185b1b084ef1a33644ec166584281e27687a054ac13af77c605a0aad32db3df20bdfce632c90585b3f6418d46b4434312dafa82e7a535a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr745615.exe
    Filesize

    12KB

    MD5

    cea9b9dbeb7b69e04cf011e72a75c2d1

    SHA1

    3d4163afb1c2ecac4a09c395d707621eeedcc286

    SHA256

    0b9f4021e83d7da3c7506d28a1aaa8dce95728b6fd133b5565c9bd0e45636c89

    SHA512

    b0131bde853576fcddaaac2a0de217e562e6fb0c3bd9f36bc8dff8b8c097b5a99341049eb4d3c9f65b5dea428ecc938762913c6d3f4004d4cd993f26564f2d53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku772156.exe
    Filesize

    353KB

    MD5

    4e3fe03966ba5af9d13a2ea264b69d4b

    SHA1

    01a85e782a6637370cef3f016d5677edcd949200

    SHA256

    0e93f0490f9ca7c77a8f2c3141fc7a1c38dcfdaabbb6e60514821572e9bac62d

    SHA512

    d8545dc6a8ba13cad956cd55cb05f9f8a8252c2fe63fe3e6fc8e07c72992f008d1d63d8c92833908eda8989f70eaf93625bb40a3c847136eeb0f9a712113e9bc

    Download Submit

  • memory/1664-64-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-22-0x00000000028C0000-0x0000000002906000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1664-935-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1664-60-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-23-0x0000000004E00000-0x00000000053A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1664-24-0x00000000053F0000-0x0000000005434000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1664-36-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-40-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-88-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-86-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-62-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-82-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-56-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-76-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-74-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-72-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-70-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-68-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-66-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-934-0x0000000005D80000-0x0000000005DBC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1664-84-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-933-0x0000000005D60000-0x0000000005D72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1664-80-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-54-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-52-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-50-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-48-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-46-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-44-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-42-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-38-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-34-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-32-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-30-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-78-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-58-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-28-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-26-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-25-0x00000000053F0000-0x000000000542F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1664-931-0x0000000005580000-0x0000000005B98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1664-932-0x0000000005C20000-0x0000000005D2A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2448-17-0x00007FFFA23C3000-0x00007FFFA23C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2448-14-0x00007FFFA23C3000-0x00007FFFA23C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2448-15-0x0000000000800000-0x000000000080A000-memory.dmp

    Filesize

    40KB

    Download