Overview

overview

10

Static

static

3

fd63cb6871...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd63cb6871791b65e5cb48b6773e1a2a64d62368ea4fea966daf051818a5d021.exe

  • Size

    521KB

  • MD5

    d7f309470b785c7f529e5b53af2a6d37

  • SHA1

    1c90b6cf792be414b8f716f0562779bba0fc3e97

  • SHA256

    fd63cb6871791b65e5cb48b6773e1a2a64d62368ea4fea966daf051818a5d021

  • SHA512

    d578c7fe0899a0fd6aa4eef8d4881b9545a2f13777d944a461967d5921d84cee5969d7cd41e8ac18eff10872a40f1974d7c4deb9c20921dcf4aec3c0e6a720d5

  • SSDEEP

    12288:jMrOy90AMY4oBGnQF8Df3dVPggHLCU2aqAgMqCWDm:hyVMY4oBGQ2Dd5ggLCjaq3MWDm

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd63cb6871791b65e5cb48b6773e1a2a64d62368ea4fea966daf051818a5d021.exe
    "C:\Users\Admin\AppData\Local\Temp\fd63cb6871791b65e5cb48b6773e1a2a64d62368ea4fea966daf051818a5d021.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixB0678.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixB0678.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:720
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr326872.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr326872.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4868
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku118238.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku118238.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixB0678.exe
    Filesize

    379KB

    MD5

    04028e5443f7657c9a460b12f4929491

    SHA1

    a0a2d76354e700596d59eeabd0f3de898ba89f8c

    SHA256

    7f76f4b8c034f1b65d54eb847a83af6bc71965ff58fda0f7973f0dac86d420ea

    SHA512

    ff6ca87b7f3df77cef9473f7e19756f51a31f1c4d214545f034a2abdf30bdf8b4c0622d342ded55f0d3908e6037c8dd53623a0ea436be7e70378bc2f19e6691f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr326872.exe
    Filesize

    15KB

    MD5

    b8e0221728880c0a18d6ce064b4f8a56

    SHA1

    35fd074cfbf5042543c5e5a66a8d7dc88bc5672b

    SHA256

    233ad57a3370504a2bb12c78e29feafd755893ae84a6d8d1e3e0e687d8c366d3

    SHA512

    e24afc8e1d857ccf02eb388b8d461cd3a8d5ae0071baef43c4d81853e4c5532aee4ead1640d9f29c525d6292578d9f246cb2e81649ab82cd1ac36de1d20509fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku118238.exe
    Filesize

    294KB

    MD5

    7a048070bbf9cf7fac59042b54b007f6

    SHA1

    a98d25a1e55c85c0455693a828fdfa9484a5536e

    SHA256

    c146a10efaf86384515a5d0d549ba914fea93c3e70b57b841558d42c422cdd46

    SHA512

    b3a2351ac32644bbb5c92e47d35f23d97385f177d2c5399a20e72fa4bfb334dd4b73c5e13f89f36737490b7f180d5959d809092b00275bdd267b2dee5778f2e8

    Download Submit

  • memory/2456-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-22-0x00000000024C0000-0x0000000002506000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2456-935-0x0000000005A30000-0x0000000005A7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2456-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-23-0x0000000004BD0000-0x0000000005174000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2456-24-0x0000000004A90000-0x0000000004AD4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2456-30-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-38-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-56-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-66-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-934-0x00000000058E0000-0x000000000591C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2456-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-931-0x0000000005180000-0x0000000005798000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2456-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-54-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-52-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-50-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-48-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-46-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-44-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-40-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-36-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-34-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-32-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-58-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-42-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-28-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-26-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-25-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2456-933-0x00000000058C0000-0x00000000058D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2456-932-0x00000000057A0000-0x00000000058AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4868-16-0x00007FFDBE893000-0x00007FFDBE895000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4868-14-0x00007FFDBE893000-0x00007FFDBE895000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4868-15-0x0000000000B20000-0x0000000000B2A000-memory.dmp

    Filesize

    40KB

    Download