Overview

overview

10

Static

static

3

193827f468...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 11:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    193827f468bd15c86887cec6be6332a2afc33dc73f814b5390e88923507a7881.exe

  • Size

    537KB

  • MD5

    1d836e8b39f0682f943cbbc86bf39a0a

  • SHA1

    18e10edeb75d24fbe717aca5b34c5045196ff2fd

  • SHA256

    193827f468bd15c86887cec6be6332a2afc33dc73f814b5390e88923507a7881

  • SHA512

    cdcb03eb800f24a6b52a5672601312f3404b8e007de5962f5fcf2431ec71a2bb0a0b9b4102b1bb76d1d5a6d1f1af80fe9efb41cf238edb05ff0251ba6d221ff0

  • SSDEEP

    12288:lMrMy90RH+ujyqsNXoWsOuurRH1l6JBCHX:pyieujJQpuurRH1lUB8X

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\193827f468bd15c86887cec6be6332a2afc33dc73f814b5390e88923507a7881.exe
    "C:\Users\Admin\AppData\Local\Temp\193827f468bd15c86887cec6be6332a2afc33dc73f814b5390e88923507a7881.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyV2460.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyV2460.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473421.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473421.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4140
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696196.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696196.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyV2460.exe
    Filesize

    395KB

    MD5

    c272e56c9c9b4f1f2fdd8f570bd1de79

    SHA1

    a0ef6f248d0222514d8429d178cca749821c30ac

    SHA256

    86ff651d1aeb553a1fc5c8d27a9f2eb1d380d3c459e644466cedce1c31b88eef

    SHA512

    4929d0ccb41d029d5676fc6070f890c97c54f8e742347bad0ed794e19c74e868f65a74c642982c342fb02a652950b8de35b380c3f1858796bb5330b506137dc0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473421.exe
    Filesize

    12KB

    MD5

    74e05e0d6fa183f1c8fb1b068f30500e

    SHA1

    6aebcdd727e3ee78293cf0d90a8cddc0e15a29b3

    SHA256

    6defc00c8b5d5563f6c44430a8c3090b384c339507d425a5a2484da9197bfa9b

    SHA512

    45881a63c7a94913c24426d44f46e069da43959c4cfc47f90985882b44a4d160e21510c0540fd8d09924fe02088785f647c8a0ce66ca7081cfdfd6f4520002aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696196.exe
    Filesize

    353KB

    MD5

    cf5ea69fc291f1434859d96e8d5d641c

    SHA1

    e7d49fca30787c3c17bb458d16ab2b86f7bad7b7

    SHA256

    baf67559dd85636f548a42ef351b1d2cc40791a326ca6fcf0d8682baa81c40e0

    SHA512

    8e1c2d9125319514b105340900676fac92723ca2991c6491d84bdb24eea79184b283f1e8cb557a1fd41adce160eb9b01679c89fd2bc342827bf659897868b1a5

    Download Submit

  • memory/4004-64-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-22-0x0000000002720000-0x0000000002766000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4004-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4004-60-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-23-0x0000000005050000-0x00000000055F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4004-24-0x00000000029D0000-0x0000000002A14000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4004-34-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-38-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-88-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-86-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-62-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-82-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-58-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-78-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-76-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-74-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-70-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-68-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-66-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4004-84-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4004-80-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-56-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-52-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-50-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-48-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-46-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-44-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-42-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-40-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-36-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-32-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-30-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-72-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-54-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-28-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-26-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-25-0x00000000029D0000-0x0000000002A0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4004-931-0x0000000005600000-0x0000000005C18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4004-932-0x0000000004F10000-0x000000000501A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4140-16-0x00007FFAC19A3000-0x00007FFAC19A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4140-14-0x00007FFAC19A3000-0x00007FFAC19A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4140-15-0x0000000000270000-0x000000000027A000-memory.dmp

    Filesize

    40KB

    Download