Overview

overview

10

Static

static

3

7cab917b2a...b4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7cab917b2a7b988582688e7ba02834b176ac8b2f15da3e6cc19ecc33c22e07b4.exe

  • Size

    683KB

  • MD5

    cbc420afb49fe68118037457c4bab420

  • SHA1

    5f0270b581f988c1337eb622255a9d34bb5e6ac4

  • SHA256

    7cab917b2a7b988582688e7ba02834b176ac8b2f15da3e6cc19ecc33c22e07b4

  • SHA512

    1741c88b0a8949a6c4d6e0dac98d6ceb102718b6ac7ff7cd67258c584e2e84ea5f6eecc0652a794669536a6460c8944f17145ee94559cc4b1b5d3dadcd34e793

  • SSDEEP

    12288:EMrwy9032j3Z/WMS5laOe3qH9XG7OUyhmZL3donhiy:kyJLBS5TMqJnXmZLgR

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7cab917b2a7b988582688e7ba02834b176ac8b2f15da3e6cc19ecc33c22e07b4.exe
    "C:\Users\Admin\AppData\Local\Temp\7cab917b2a7b988582688e7ba02834b176ac8b2f15da3e6cc19ecc33c22e07b4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954343.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954343.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6677.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6677.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:756
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1080
          4⤵
          • Program crash
          PID:2024
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9395.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9395.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3724
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 756 -ip 756
    1⤵
      PID:4084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954343.exe
      Filesize

      541KB

      MD5

      38ae4095c8285b8f29b6a0f8c96d0193

      SHA1

      055924e61b06dff3edb02549656240a86af29fea

      SHA256

      9e0e813a3594bb0beadb27ec34acaf91560a6b425eb0b83e4ee9c03f78aaed2d

      SHA512

      0ef43093a10a0f5706b52cb4bf05ac50a35f4bd26f9fef8d93c57a54003da00a83c32243750380e79cd2d14da0c76bd1cd557a1a96c9950cdc4f163e54ad02f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6677.exe
      Filesize

      321KB

      MD5

      77ba075ceb54646e10bceb44c18b3673

      SHA1

      40319ec69792a1fbd5cb6740f77f9a57cbaedaa4

      SHA256

      cba74279c090bb07d7b8e55d29edf152d609cee5808759fa5929e912f4b779fb

      SHA512

      84987ff1c4e1a653aecadf9ce8c871dd22a8db8853dd6d25ee15469567e9d87d242f9cea32074c687a716132afe16c404af50f6972a139bc9791d1d53a9efb25

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9395.exe
      Filesize

      380KB

      MD5

      1f42c790f5d9bfd64e7211cc0a62a2d6

      SHA1

      f4d7b327db39619481ec3ccadaf1f768a75aac3d

      SHA256

      f8b19277008a70bff0ab1dc736851f3e3589eea4453d9f68a942407b8ca233dd

      SHA512

      c6ef1ffdd98799ffa71dcad878d3c6a982aceef8273368ec5dbecb4f720532b9c7253aa95a06d1bafb8995be51d7e635ad1a89ae217d5903d1f49eaed692fc19

      Download Submit

    • memory/756-15-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/756-16-0x0000000002B80000-0x0000000002BAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/756-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/756-18-0x00000000047F0000-0x000000000480A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/756-19-0x00000000070E0000-0x0000000007684000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/756-20-0x00000000076D0000-0x00000000076E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/756-32-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-34-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-48-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-46-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-44-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-42-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-40-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-38-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-36-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-30-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-24-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-22-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-21-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-29-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-26-0x00000000076D0000-0x00000000076E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/756-49-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/756-50-0x0000000002B80000-0x0000000002BAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/756-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/756-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/756-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/756-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/3724-60-0x0000000004990000-0x00000000049D6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3724-61-0x0000000007170000-0x00000000071B4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3724-79-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-83-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-77-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-75-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-73-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-71-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-69-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-67-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-65-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-63-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-62-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-95-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-93-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-91-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-89-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-87-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-85-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-81-0x0000000007170000-0x00000000071AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3724-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3724-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3724-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3724-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3724-972-0x0000000008110000-0x000000000815C000-memory.dmp

      Filesize

      304KB

      Download