Overview

overview

10

Static

static

3

33485abe70...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33485abe7037f0b96591614bcc77408e01ebfd52dd9234da76ca30fdfef05cb9.exe

  • Size

    522KB

  • MD5

    c9cee46b6ed21a6b91381f8d9bb89eb4

  • SHA1

    b12307a3ee470d119d131343ad52cb520c7051f8

  • SHA256

    33485abe7037f0b96591614bcc77408e01ebfd52dd9234da76ca30fdfef05cb9

  • SHA512

    bf2b7a3c7af25bb9aefa304cab30c82264e7eb15dd0ddf7a0ec1f05770dd6b5f0b956b863e544fb6ed002a5836622ec435d0b65089743715ad79e99b704bd972

  • SSDEEP

    12288:rMrdy90w09A7ZKTCilssFHiUsUizH32tyKhfiUNwW:Ky89gsZOsFH10zH32tyKhfjNR

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33485abe7037f0b96591614bcc77408e01ebfd52dd9234da76ca30fdfef05cb9.exe
    "C:\Users\Admin\AppData\Local\Temp\33485abe7037f0b96591614bcc77408e01ebfd52dd9234da76ca30fdfef05cb9.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNm4533.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNm4533.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr011186.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr011186.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku607010.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku607010.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:3204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNm4533.exe
    Filesize

    380KB

    MD5

    0e3e0b47a621db28b70e8414296d6158

    SHA1

    8e0e05af00d67b6568b994b44c2913538edc2364

    SHA256

    0754b66d71a60d5da46380245757c229a986408a2f22f0cadbea5ea81d779c00

    SHA512

    789f016c884e452b8c0e7f9ce571e358a974453ff4b0ffc0fd7d10289079aeb2baeb08eb0d7dc8da0299244887e99cd7999e2d29b2f72c50ae34d767c78550c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr011186.exe
    Filesize

    14KB

    MD5

    9d4a65613d1a961e9ae83e4582dd995e

    SHA1

    064cd6d5696fa5976b3c7f6fd343c62e63fc36cd

    SHA256

    6980f6d5456ae1baaea90b71f321b8978e7de5b0fa287cc861e7f2ad0ac29cae

    SHA512

    121b6bee1b5c9eebdd4a90ff8f0fc87f490fb8cf8c15cac697bfc1732fd9e206df2c10628514a79446d8dfbe4b521358783619f4bdd3ac6973928f271fa75f48

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku607010.exe
    Filesize

    295KB

    MD5

    3e34cb167b5305ea27f4bccfead9bc02

    SHA1

    a7c6d11b130ddee3d89cb6a06674a9f2a0e3d239

    SHA256

    06678993fdd04a6290c9aa43143741627494e50925770477adeb6d2bda5f95bb

    SHA512

    b258df6bdb64566717a8ceba5fb9ef3602f2b109dc2b7a22614b8f41f5b246670771775e905b4278a5b8e1189ef35fcfd3c94226f8e4bc803662fd2a8b119ec9

    Download Submit

  • memory/2600-59-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-22-0x0000000004D70000-0x0000000005314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2600-21-0x00000000023C0000-0x0000000002406000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2600-55-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-23-0x0000000002480000-0x00000000024C4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2600-31-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-49-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-87-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-85-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-83-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-81-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-77-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-75-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-73-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-71-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-53-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-67-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-63-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-61-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-934-0x0000000005B90000-0x0000000005BDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2600-933-0x0000000005A50000-0x0000000005A8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2600-57-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-69-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-47-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-45-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-43-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-41-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-39-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-37-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-35-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-33-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-29-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-79-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-65-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-51-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-27-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-25-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-24-0x0000000002480000-0x00000000024BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2600-930-0x0000000005320000-0x0000000005938000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2600-931-0x0000000005940000-0x0000000005A4A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2600-932-0x0000000004D20000-0x0000000004D32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3520-14-0x00007FFA0FC63000-0x00007FFA0FC65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3520-15-0x0000000000F20000-0x0000000000F2A000-memory.dmp

    Filesize

    40KB

    Download