Overview

overview

10

Static

static

3

5dfb85736d...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dfb85736d44b0a68ae8a7c6fe606dd1d15a32fd081b83e36c239ebb232b4021.exe

  • Size

    561KB

  • MD5

    f2616447dddeb370711181ccc3f54840

  • SHA1

    e7d506eef2122df7b0571107d73dace0284f72a5

  • SHA256

    5dfb85736d44b0a68ae8a7c6fe606dd1d15a32fd081b83e36c239ebb232b4021

  • SHA512

    ff5523b807deb0f5d3985932d0410a6ea1f8be9558a71715333c363a9585ab2a25e0f05fca620acf0f17a6017afb5e41a39895bf0d411a3787a002676636e196

  • SSDEEP

    12288:SMrcy90xyAucgZBIeuZKeE6qBn17XPMX6pksKzIojWwie1:yysy5cQI19EPBn1LExsKHyHe1

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dfb85736d44b0a68ae8a7c6fe606dd1d15a32fd081b83e36c239ebb232b4021.exe
    "C:\Users\Admin\AppData\Local\Temp\5dfb85736d44b0a68ae8a7c6fe606dd1d15a32fd081b83e36c239ebb232b4021.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYw6547.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYw6547.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr729727.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr729727.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku774153.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku774153.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYw6547.exe
    Filesize

    407KB

    MD5

    2da70008ec202b9b5bf838659b5695b8

    SHA1

    a4280ea351414071bf95a4365964f4e65ada4ace

    SHA256

    3a24ca1c8d625d952f7edbb8fce5ec03607e4e173a8931697f39ac64f2fed4f4

    SHA512

    4455fd7f3414fd48dd80e9c39169368df9da0d797448342f3f318b6dcf96aa609934de9ab1e51b5bdd05dd3060a129f28da38e97331c26f415dd60c63b61e4c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr729727.exe
    Filesize

    12KB

    MD5

    96c926ea822aada756c9753b44de0cc5

    SHA1

    c5f9fd36c6d308396d8f999d8460d9a189b9c2d6

    SHA256

    463b29bffe2b3b23e925e34165f34fa05662542cbddb62d35f6626684d338af6

    SHA512

    13d6c2835f99a5a20d208a4580173ceebf089d88c2f879242a8de526b5bdeba0e87a9abc4d3b6b6fc396a28db1e24cf5cd02f4694b7c1b88cf9294346ba99540

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku774153.exe
    Filesize

    372KB

    MD5

    45581c9a42e058c3dede0162b50ce497

    SHA1

    fdf7d24da2aaea4acda1a71d9feb916cfa6d6717

    SHA256

    caf9b6c0f693daf2ce03458b755f9a396656036eed8d5cb97c194d572238d9f5

    SHA512

    0db75aa1b078682075d2b9e4e902f8c76a08345af029c26629b8b2f7be9845f2414c0705f17c019b568aad1e18d3fd83ef8d49cf962b2bb6315cd9740ab3ff4d

    Download Submit

  • memory/2544-62-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-22-0x0000000002630000-0x0000000002676000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2544-935-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2544-58-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-23-0x00000000050D0000-0x0000000005674000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2544-24-0x0000000004F80000-0x0000000004FC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2544-30-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-42-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-88-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-87-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-60-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-80-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-56-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-76-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-74-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-72-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-70-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-66-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-64-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-934-0x0000000005EB0000-0x0000000005EEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2544-82-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-933-0x0000000005070000-0x0000000005082000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2544-78-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-54-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-52-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-50-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-48-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-44-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-40-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-38-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-36-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-34-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-32-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-84-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-68-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-46-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-28-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-26-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-25-0x0000000004F80000-0x0000000004FBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2544-931-0x0000000005680000-0x0000000005C98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2544-932-0x0000000005CA0000-0x0000000005DAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2612-16-0x00007FF8021D3000-0x00007FF8021D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2612-14-0x00007FF8021D3000-0x00007FF8021D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2612-15-0x00000000005E0000-0x00000000005EA000-memory.dmp

    Filesize

    40KB

    Download