Overview

overview

10

Static

static

3

8826114cd5...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8826114cd55c14eb7028340b2d902261baa10b13b5db546d0187566647e6efe7.exe

  • Size

    537KB

  • MD5

    c7fb8718aa3722c578c4a0ad1c713d0d

  • SHA1

    4cf3f0a236fa91a6e6201979f7bd217af4f7c927

  • SHA256

    8826114cd55c14eb7028340b2d902261baa10b13b5db546d0187566647e6efe7

  • SHA512

    ffe19293a30ff49339caf564773a46259b3cadccaec826f1b3cd75b652009b338446fd1ebab519f389956df6a4dadd042b22e88ba9a6ae31bbb3cb6ee1232c5b

  • SSDEEP

    12288:UMr8y90IIKq+WJHo3vAYThdxrU1JHKwZUQWVGZw:oyso3vA8hvrmqwZUQWyw

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8826114cd55c14eb7028340b2d902261baa10b13b5db546d0187566647e6efe7.exe
    "C:\Users\Admin\AppData\Local\Temp\8826114cd55c14eb7028340b2d902261baa10b13b5db546d0187566647e6efe7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOY7602.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOY7602.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr812058.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr812058.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku511748.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku511748.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:968
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOY7602.exe
    Filesize

    395KB

    MD5

    f7b946daa19ac330494413e3ed193bfd

    SHA1

    c1cf9c6a215e8e429bb39c750ebc0b6ff161a56b

    SHA256

    70ae1b91d31d1ea69f91127eb0420799d7026fec71a29aeafdeeb970aa890866

    SHA512

    88646b918b95dca85148ced391a1f965295b8788a97fa4d8404d808df8262c2d59ea61745672581c3331752d3fd8ca11de4103c2042b990713103e626f40ef98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr812058.exe
    Filesize

    14KB

    MD5

    f5765bf30bffe3a19a993e1c6ebe2cab

    SHA1

    efe8e6b1f42ff3be1cff24d67af767907a45d629

    SHA256

    7b8ffd8883f60f9799a3780a73bf93a9842cc9470d7fa513e8df9b83ccede0f2

    SHA512

    b343d5fdaaa49b8fec0451778d0f0d9dea1ba89e6b3deabbb6348e3d03317b0cb3346a75db50231f94c236e042a8514c404e763b180673b10e5cad70b1a86b8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku511748.exe
    Filesize

    352KB

    MD5

    065b8ded63ecbbb08d51f8e86cbc26e3

    SHA1

    b70907bac4c1c35551cf65d6b38d25ef1844b4c7

    SHA256

    c9dffec914583f6c7327e6eadbcaf878e1a3acd67638e8797ea7fbaaa0bc684a

    SHA512

    b15771b3d0b0079388ab5054cee1f885d9b86b2bf811fa50696ec886652fba67d8d33dbee12a8fde90948b962866044dd18c7073730c13fe3a7d1722a415ef2a

    Download Submit

  • memory/968-64-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-22-0x00000000025C0000-0x0000000002606000-memory.dmp

    Filesize

    280KB

    Download

  • memory/968-935-0x0000000005D80000-0x0000000005DCC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/968-60-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-23-0x0000000004F40000-0x00000000054E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/968-24-0x00000000027D0000-0x0000000002814000-memory.dmp

    Filesize

    272KB

    Download

  • memory/968-28-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-38-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-88-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-86-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-62-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-82-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-58-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-78-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-74-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-72-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-70-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-68-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-66-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/968-84-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/968-80-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-54-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-52-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-50-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-48-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-46-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-44-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-42-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-36-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-34-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-32-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-31-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-76-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-56-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-40-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-26-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-25-0x00000000027D0000-0x000000000280F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/968-931-0x00000000054F0000-0x0000000005B08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/968-932-0x0000000005B10000-0x0000000005C1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1772-16-0x00007FFDDE6E3000-0x00007FFDDE6E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1772-14-0x00007FFDDE6E3000-0x00007FFDDE6E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1772-15-0x0000000000770000-0x000000000077A000-memory.dmp

    Filesize

    40KB

    Download