Overview

overview

10

Static

static

3

7f49b52ec4...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f49b52ec48e7599fcf3262ccc66444d6282994e21687f91b1c32a02f2bb89bf.exe

  • Size

    529KB

  • MD5

    1c8ada3844ddcb3657bd93ab0635d082

  • SHA1

    4293c8e73890c9e548051d7d4b04da6a291189cc

  • SHA256

    7f49b52ec48e7599fcf3262ccc66444d6282994e21687f91b1c32a02f2bb89bf

  • SHA512

    a829f425874e3d0e67d9276edc7b1282142c80ef46bc4a33b6cd442a90ba5dd3bbc24fc7a17d853e6490f2524fa545b96c60462ad335c42a31a61644c6fc13e1

  • SSDEEP

    12288:DMrry90id4FmUyGf9+UhxLlVs5vE85xoQyfBiTZfH:QyXd4MmhxL7s5vE8Tum9H

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f49b52ec48e7599fcf3262ccc66444d6282994e21687f91b1c32a02f2bb89bf.exe
    "C:\Users\Admin\AppData\Local\Temp\7f49b52ec48e7599fcf3262ccc66444d6282994e21687f91b1c32a02f2bb89bf.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivG9391.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivG9391.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr161534.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr161534.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944475.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944475.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:988
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivG9391.exe
    Filesize

    387KB

    MD5

    18fb4526eb9a24f41ae06fff847e96e7

    SHA1

    45717d55dc233c261412a9ac2800b76e31ddb038

    SHA256

    22d784cf89f6639ab90a56a6decbc6f42cb394db5ca73a667beb7878bee58b38

    SHA512

    88033532747efc5c35ff66cc72771d795ba3444680bffc6249715d11412c1e9c84897741b78158d8660acac1947dc4305a5441ffef5a975822980a04437bc79a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr161534.exe
    Filesize

    11KB

    MD5

    4b19e2b183af99788f81179d61bbd287

    SHA1

    eb3d2d48c3bb704c2f469a76af2867b4aaaec660

    SHA256

    7170e37b5077c1b6e099a45f301268e4c2c3dc0d901466528e1ecb8eec111880

    SHA512

    3b3637af9561901244f60bb80bf45fba4360f1e32a9804493e310a8c04bb97ad94e2f90723964cea8e6d4cf2ddb364f9c5ee754795a19c584ff5d371e16b5b46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944475.exe
    Filesize

    354KB

    MD5

    0292c55dad880cc1da46618f8409d0cb

    SHA1

    ca78d10b3d38369769c5ff825e35c2b2384175fa

    SHA256

    58480ea73e2c6b75d34656492635825daf7c62df35a045f5aeb86daf4c961ea9

    SHA512

    c238007fd55db9fc4d514217bd996ab1c73342b8f8aa53667ce455e9bac012a7fb0c54627024bce5b06748360c5e04fb5b79233dfe4275a08a40b8f9816f4adb

    Download Submit

  • memory/988-62-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-22-0x0000000004DA0000-0x0000000004DE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/988-935-0x0000000008110000-0x000000000815C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/988-59-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-23-0x00000000073B0000-0x0000000007954000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/988-24-0x00000000071D0000-0x0000000007214000-memory.dmp

    Filesize

    272KB

    Download

  • memory/988-30-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-40-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-88-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-86-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-60-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-80-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-56-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-77-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-74-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-72-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-70-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-68-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-66-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-934-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/988-84-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-933-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/988-78-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-54-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-52-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-50-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-48-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-46-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-44-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-38-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-36-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-34-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-32-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-82-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-64-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-42-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-28-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-26-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-25-0x00000000071D0000-0x000000000720F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/988-931-0x0000000007960000-0x0000000007F78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/988-932-0x0000000007280000-0x000000000738A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2484-16-0x00007FFEF5CB3000-0x00007FFEF5CB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2484-14-0x00007FFEF5CB3000-0x00007FFEF5CB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2484-15-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

    Filesize

    40KB

    Download