Overview

overview

10

Static

static

3

cbcd03abc2...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbcd03abc247042f97201be93bbf06f62ac72fbacea4a009281802d3f0d94fec.exe

  • Size

    658KB

  • MD5

    c3415f43ee8fe9758efc2bed5ca3a61b

  • SHA1

    61de3a6a6efa71ac1b65f298268189dfdf100102

  • SHA256

    cbcd03abc247042f97201be93bbf06f62ac72fbacea4a009281802d3f0d94fec

  • SHA512

    148368121b5eb5945ef6fda35603336d17a7bf98e8414292f4acca57386b3b3c4c784a1c4e1b3906ac23f167166e6cf92391e086620ff2d482f8d5a5de3de522

  • SSDEEP

    12288:mMroy90GScGPRH7ylsKQCbWi/d7Mp/CPGzcocltODtZ+EIZxS/WnQ76r3:CynpGJ+lLQliFAp/4orZZ+EIz+76b

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbcd03abc247042f97201be93bbf06f62ac72fbacea4a009281802d3f0d94fec.exe
    "C:\Users\Admin\AppData\Local\Temp\cbcd03abc247042f97201be93bbf06f62ac72fbacea4a009281802d3f0d94fec.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un610494.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un610494.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6381.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6381.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1080
          4⤵
          • Program crash
          PID:392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2036.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2036.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5016 -ip 5016
    1⤵
      PID:1032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un610494.exe
      Filesize

      516KB

      MD5

      ac2c9730c95b88cb9df9bbaa55d9bc08

      SHA1

      a7daeb8097399f20cebfcdb6bc9071f04055879f

      SHA256

      90622412948e0e6fa325b88948effa3119f88abcdd83e77eb946897f8b05cd38

      SHA512

      a3555b436283eea66a8c702a3fb7c5434e475f368cac6716dac6174c0344e913ff1ada5bb6980e6400bc1dca0c573161689ec39c88cdacb7101c75bb85f7bee3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6381.exe
      Filesize

      295KB

      MD5

      6a912ed0423006c477a8d6df9017c1a2

      SHA1

      cf4e703c49419ed1345795d46df0214aaeffb774

      SHA256

      099858c896d8fdd94e97c65b331ec62eb59214b07ccc40cba1b03b8a0237ef2e

      SHA512

      d14a1eb9aeedc3a5d7c25d4370579aa118ab548e0a7191a0a520c8b672e02322bf6d3b72e3b93e3385596fcf0c693e1716e1512d90cf668c9bb2367318d5ec1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2036.exe
      Filesize

      354KB

      MD5

      040a7cc39e5cc0d380cd62056566d3be

      SHA1

      2d2600227b7b18e4fa5b9032d26158cbdb60b9a1

      SHA256

      f979ef7d78c09f4fa537cc7d9abc28b7af5fce33190f1b054478947463892987

      SHA512

      ef91431f486e694c208bc3c575259b9994753ba1f6e2f37c17051dfe58bd5376cc1440db0bb7cabfd3c72619bfe08b1cfd5a66f5b1510591496317dcf3d4eb88

      Download Submit

    • memory/2488-73-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-77-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-969-0x0000000007F90000-0x000000000809A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2488-968-0x00000000078F0000-0x0000000007F08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2488-62-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-63-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-65-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-67-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-69-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-71-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-971-0x00000000080F0000-0x000000000812C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2488-972-0x0000000008240000-0x000000000828C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2488-75-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-970-0x00000000080D0000-0x00000000080E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2488-79-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-83-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-85-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-87-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-89-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-91-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-93-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-95-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-81-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2488-61-0x0000000004E00000-0x0000000004E44000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2488-60-0x0000000004C10000-0x0000000004C56000-memory.dmp

      Filesize

      280KB

      Download

    • memory/5016-41-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-54-0x0000000000400000-0x0000000002B78000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/5016-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5016-51-0x0000000000400000-0x0000000002B78000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/5016-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5016-50-0x00000000046D0000-0x00000000046FD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5016-49-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/5016-21-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-24-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-26-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-28-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-30-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-32-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-34-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-36-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-38-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-42-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-45-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-46-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-48-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-22-0x0000000007250000-0x0000000007262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-20-0x0000000007250000-0x0000000007268000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5016-19-0x0000000007360000-0x0000000007904000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5016-18-0x0000000004C70000-0x0000000004C8A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5016-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5016-16-0x00000000046D0000-0x00000000046FD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5016-15-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download