Overview

overview

10

Static

static

3

ba8a69e867...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6.exe

  • Size

    537KB

  • MD5

    eaba220c7b7d3dac46bcd8a48499e708

  • SHA1

    1d3bc5ceddcd179983fbe32a37ffe865ef91aad5

  • SHA256

    ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6

  • SHA512

    ee360bfb49f6a737ab932eeae43b372d9143d9b9789b6d9528c296bdd6f5228f2bec9ada6d854a32971dc29d99747c8e818317d1991fb7f38e6877b5bb8c4a03

  • SSDEEP

    12288:8MrEy90un9FwmEBu5prV5fWVrUdGHs8wooaP7bG6FjhFZFi:4yBwmnpkrXLw987Nxi

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6.exe
    "C:\Users\Admin\AppData\Local\Temp\ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinv4256.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinv4256.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453076.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453076.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku119437.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku119437.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3188
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinv4256.exe
    Filesize

    395KB

    MD5

    1b545aad1f9485d8c86e1e061d65815c

    SHA1

    dac244595ffe9f5dcdd12622b5df418089a8f6ca

    SHA256

    09e2a40ef61073ee123a7d9153c6a0e1add26c3f65260c48f9bec1e7c19935f7

    SHA512

    6a78212ca2a12e77c12793c33d79c0ec15a865961deae6c2cd15f8bc27e7139bbde853f192f22203d9a430aa891a48ed064b7b8836739bac52e6cdcc84cce255

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453076.exe
    Filesize

    14KB

    MD5

    477974078f61539d33857e4e347d1c12

    SHA1

    49e77dd5813765a7eef08ecead29e3351c2a60f9

    SHA256

    ccb79ec034cf9415940e864838a34df0bc448d040e2c3f06aafa6a2841540f5d

    SHA512

    4bad5129940fefb999a84a1e7f844e32d489a13d7c1cf60789912b1bcd0f85b6405e788eca2a2ed890f87392e359e286bbadff71fb30863b36767a8d5ddf7a4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku119437.exe
    Filesize

    352KB

    MD5

    b6020f8f3334b099c6a6e035443e403d

    SHA1

    a66eb46e9c558951cda232e24488f5e1817eb425

    SHA256

    c44cbd79e6ebcaef0325400b059f92f45b4c420bdfe5c7e85603c1717371a87e

    SHA512

    cfae1a5e6df5b28e02944e70982b19918b33b7f7374c177095118efb14a8a50e5714201c9a49422ddbd703813d522ec49bcd555de2842d266bf48aec313c082a

    Download Submit

  • memory/2464-14-0x00007FFEC5CA3000-0x00007FFEC5CA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2464-15-0x0000000000810000-0x000000000081A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2464-16-0x00007FFEC5CA3000-0x00007FFEC5CA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3188-70-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-58-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-24-0x0000000002990000-0x00000000029D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3188-38-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-28-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-26-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-25-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-46-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-88-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-86-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-82-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-80-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-78-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-76-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-74-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-72-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-22-0x00000000026D0000-0x0000000002716000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3188-66-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-64-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-62-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-60-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-23-0x0000000004FB0000-0x0000000005554000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3188-56-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-54-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-50-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-48-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-44-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-42-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-41-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-36-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-34-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-32-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-30-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-84-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-68-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-52-0x0000000002990000-0x00000000029CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3188-931-0x0000000005560000-0x0000000005B78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3188-932-0x0000000005B80000-0x0000000005C8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3188-933-0x0000000004F20000-0x0000000004F32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3188-934-0x0000000004F40000-0x0000000004F7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3188-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download