Overview

overview

10

Static

static

3

560c4fb87f...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    560c4fb87f585547c78f90eec8465af94e7ea81dc27730f14bfaba68cc331add.exe

  • Size

    530KB

  • MD5

    780eb5654894c821bc20a1a27691c2c6

  • SHA1

    58cb12fcc4e6e313c30cf7471cecf7d73c72d73c

  • SHA256

    560c4fb87f585547c78f90eec8465af94e7ea81dc27730f14bfaba68cc331add

  • SHA512

    897eddc130dd79d5fbbf0b9b719b73cc4624dc4b317b99b535cd10198beb93be51d8e65003aa5398f602d7269d1f05af911870ee2ff71d20506f78fdaa59d43d

  • SSDEEP

    6144:Kpy+bnr+rp0yN90QEV6bVZ1QaGcP8MKghPLveRDBC3e9RZzxxEDwoxEJYvHxIr7C:HMrTy90m3+C8zGve/1ZzvE8oxBRuvMl

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\560c4fb87f585547c78f90eec8465af94e7ea81dc27730f14bfaba68cc331add.exe
    "C:\Users\Admin\AppData\Local\Temp\560c4fb87f585547c78f90eec8465af94e7ea81dc27730f14bfaba68cc331add.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEw5064.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEw5064.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr369251.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr369251.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku040245.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku040245.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEw5064.exe
    Filesize

    388KB

    MD5

    3fb5804a5ccc525e9d908964ee04f856

    SHA1

    bbcb0916905b1fff1128094d1281bd433ad13ca4

    SHA256

    354018c7b1b70623c4e031d257e60d81686b03afc46a169764819ded9efe731f

    SHA512

    3799a092a6b734ff776d11495f2fd5ef722eee3ce38636148511c7d14c91585671d988b3c964704bf3ba888dbe771e9cd43f4cbf0aaf8e0c7e91a963eba781f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr369251.exe
    Filesize

    11KB

    MD5

    a4051cea1b9a4b9a175aa5316e4f248b

    SHA1

    fa488793db62e5ff4bc64ea795e8b2801a1e58f5

    SHA256

    5e63a27875ab5b1913146f0299afe4c78c104d02e85d5ec9e40726cbafe79ab9

    SHA512

    1af75c592870cb6515aa99e8e0b594d0416e41b9b48f4904dc9e780c9ec242d924666d4eee2eb8b1a7300a1fd04d2af75ee71520ca3278fbbc16cb9c3ed5a8ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku040245.exe
    Filesize

    354KB

    MD5

    0084d55beabbb299ed987101d2209809

    SHA1

    365d6326cc949d0511427cfa131cfb981f0a6383

    SHA256

    3faff1d27c7500670eb18788dc4f8440c11b441d1afc9afc99fd9bc9a3104a67

    SHA512

    8886a889c8a70ad3f95c16ca5997618b6b72196163ea6eb2f58fdb1508fd2b5c20a2d083798a38b120d866cba035e547c3a18fd693fc5a167f87d89420ab8761

    Download Submit

  • memory/228-70-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-22-0x0000000004B50000-0x0000000004B96000-memory.dmp

    Filesize

    280KB

    Download

  • memory/228-935-0x0000000008110000-0x000000000815C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/228-64-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-23-0x0000000007210000-0x00000000077B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/228-24-0x0000000007190000-0x00000000071D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/228-84-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-66-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-50-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-28-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-68-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-88-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-62-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-82-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-80-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-78-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-76-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-74-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-72-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-934-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/228-25-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-933-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/228-86-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-60-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-58-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-56-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-54-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-52-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-48-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-46-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-44-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-42-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-40-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-38-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-36-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-34-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-32-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-30-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-26-0x0000000007190000-0x00000000071CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/228-931-0x00000000077C0000-0x0000000007DD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/228-932-0x0000000007E60000-0x0000000007F6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3112-16-0x00007FFF287C3000-0x00007FFF287C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3112-14-0x00007FFF287C3000-0x00007FFF287C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3112-15-0x0000000000A50000-0x0000000000A5A000-memory.dmp

    Filesize

    40KB

    Download