Overview

overview

10

Static

static

3

f8ba8a7df2...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8ba8a7df2c4857881057a3ada685733acf458032b52848fce1fcd674c213f1c.exe

  • Size

    988KB

  • MD5

    15dd1666acc309e0474f434c2781683c

  • SHA1

    fd29fd7194554cf2a8b7f3f3dfb8fb6e22c74345

  • SHA256

    f8ba8a7df2c4857881057a3ada685733acf458032b52848fce1fcd674c213f1c

  • SHA512

    44ac371113644313e1f023f4bb0ab4ef998fd1beaa99f722587b66f52860a30bda77d0e61be8e097926e3921234df77552cf18b77ab5d99d018d277d40dbd4ff

  • SSDEEP

    24576:Jyv7/25MxeplzYG1D2TejgpulIyJKFKSZ4IN0X:8T+megW2yj6uRKFKS1

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8ba8a7df2c4857881057a3ada685733acf458032b52848fce1fcd674c213f1c.exe
    "C:\Users\Admin\AppData\Local\Temp\f8ba8a7df2c4857881057a3ada685733acf458032b52848fce1fcd674c213f1c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0378.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0378.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0461.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0461.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2491.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2491.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0473.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0473.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4176
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8201UC.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8201UC.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1668
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1084
              6⤵
              • Program crash
              PID:2916
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w18aJ48.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w18aJ48.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3020
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1668 -ip 1668
    1⤵
      PID:2248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0378.exe
      Filesize

      805KB

      MD5

      645a6bcee042edc68d777d6eb9f79d2e

      SHA1

      2af14226ec5d69b8b7482b4e53adf2a82438c3d1

      SHA256

      20146dda97dbd91be3fb0d4f810cbc877dc833c48388e8075c2998248609134f

      SHA512

      78c7807744e1af3ebd12594d57c14b0b072156df1e186968ccfc45b92d3c3067d5bd0b2a6893065bf7f00367ab2ac93fe515cf40db8dd6cf2d6c4e2b198ac308

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0461.exe
      Filesize

      650KB

      MD5

      6e933fac96043347feca96db031329c8

      SHA1

      a73d2bb0bbc7b0a0258f1683f70626d4a18259df

      SHA256

      6773d1baf6c507379728cb80d2fe30ed19692eca5d4cab9d82a8a4054d9a7efd

      SHA512

      1f0da4402413c5e88424117b1c81d589900ae0a2d8fb190307a155ced782432b3dee2787a234402e3a9b995a493e132a2dcd62807ecee957485b399fcc0eebb0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w18aJ48.exe
      Filesize

      292KB

      MD5

      03aad15105d68d1c594c2af36d29d7f4

      SHA1

      0153ddd12289cc2da97920b3d5f85de7aee9c315

      SHA256

      b4531a78a3360a150a187afc0d2edff1c3d8491766cabaf1369731982b2e58a1

      SHA512

      9ff4b615e63782914c143f400d05c7b25da4c98212a51e03ee334fb469e8992f4203cd60f9c925e4a23279b1256b227e22de1881149b4f2aaa57be3b96e68ef2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2491.exe
      Filesize

      322KB

      MD5

      491b75acd725148969ef7e2708d3b979

      SHA1

      53933c46f6f2f1d8aef25a329f4c355c497269af

      SHA256

      86c3da0321fcc56f3821e393c65df5d6902919960a46e20b45c916db7126c0c7

      SHA512

      c6113c3f245f2109ee5719a1d0d69794f239e2a9b37c19be97c0899dac7a3fe9ef70064c9a361ca9ee2989224ad5f2bf8df3b0f2cfc4b75a1c43d3cdcf77a084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0473.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8201UC.exe
      Filesize

      235KB

      MD5

      e73d07ac35e58f6dbf8c6d3d8f9302de

      SHA1

      60a1c0485dbfb06a54653aea2beb4d25776ccf06

      SHA256

      2d68213419d7552ca6e8d4d959c167c5fac73901aae5cc9d0a6ef73f7021beb8

      SHA512

      366ae9a9faf70bb49185b706b5b4e16215229504effd61310a2641dc06e2ad39e80b53b296e5796c3be3e259dedfcf53a1bcfa9a6abfbd13d4b29e28cc5dbb3e

      Download Submit

    • memory/1668-67-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/1668-35-0x0000000004AF0000-0x0000000005094000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1668-36-0x0000000004A30000-0x0000000004A48000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1668-44-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-64-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-56-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-54-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-52-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-50-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-48-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-46-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-42-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-62-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-60-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-58-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-40-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-38-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-37-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-65-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/1668-34-0x00000000021C0000-0x00000000021DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3020-85-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-89-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-73-0x00000000023A0000-0x00000000023E4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3020-984-0x0000000005A30000-0x0000000005A7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3020-87-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-107-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-105-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-103-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-101-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-97-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-96-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-93-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-91-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-72-0x00000000021D0000-0x0000000002216000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3020-83-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-81-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-79-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-99-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-77-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-75-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-74-0x00000000023A0000-0x00000000023DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-980-0x00000000050E0000-0x00000000056F8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3020-981-0x0000000005780000-0x000000000588A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3020-982-0x00000000058C0000-0x00000000058D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3020-983-0x00000000059E0000-0x0000000005A1C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4176-28-0x0000000000570000-0x000000000057A000-memory.dmp

      Filesize

      40KB

      Download