Overview

overview

10

Static

static

3

b40b3df8d8...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe

  • Size

    479KB

  • MD5

    e18f11248e68e35b85d04fc8047a5998

  • SHA1

    80b4089eefa23bc7ed405b11691a90a40b4e1ccb

  • SHA256

    b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74

  • SHA512

    0f6536310c17bc1bc0f015b7701e9afa931fa96eb60082157f0dd806b084865c6de4411f8bb347eb7d2e01953ce71f7dee645bcf963121c5d39a652bc4e32367

  • SSDEEP

    12288:1MrDy90AVPrz1CsBWQRu4Mvnw6MSudNjhEiTOq5FnPt8:ayFPrzTRR3MT4hhnQ

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe
    "C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe
    Filesize

    307KB

    MD5

    4a74a39cfdf39606cd0984b18cb44652

    SHA1

    0238c0db7583b29e6ccdde3d870798e18aa4f4fb

    SHA256

    4322cd2bc07075a0a6e36957b7e0b7710918467026800e18d67fffd57a73ceac

    SHA512

    43629b98855a818813009401578d9b3c555aba94431000c214aa67d5bb11d31afba4d99ae3c2d01b9d028ff238c91877dda30c8ec1aebec89a10cb075c20eded

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe
    Filesize

    180KB

    MD5

    cc34fa42f3cba0f5695bec580f4f6abd

    SHA1

    8fe44dbe160365ff9bd40c3df1a78b1b2a1d2a9b

    SHA256

    ce485e012ef5d49b4e62eedb06d11c24c4bc1d64167a87c2de69a446a35ac66a

    SHA512

    836aa7bac321cf93063a3dac8e04cf423956aac0a7c188c30514154a3f5047fb52dd13a440aad20e395efbd9365d0bf028551dd90d6db7431b0fb5eb276e3e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe
    Filesize

    168KB

    MD5

    b5ae0a5b1bbbc9ecd15d890ebd199d65

    SHA1

    5f6b57740d3b271b698cce6dd9a9376959dc543b

    SHA256

    b03465c946b69efbf9ca2a46f199a561d6fbbe5b833afb4102b3d679da84732b

    SHA512

    44735587cba67a8f464804c6a7dc677f43a7aca237dd2131a87e733e406526e2eb3e0aa48a18215af3719c0f45d83a91abe4aa2e3580dbc3ab4fb503cd0f71d3

    Download Submit

  • memory/2224-35-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-50-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2224-17-0x00000000049C0000-0x0000000004F64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2224-18-0x0000000004980000-0x0000000004998000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2224-19-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2224-33-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-23-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-48-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2224-45-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-43-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-41-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-40-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-37-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-15-0x00000000048C0000-0x00000000048DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2224-27-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-25-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-47-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-21-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-20-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-31-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-29-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2224-49-0x000000007443E000-0x000000007443F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2224-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2224-52-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2224-14-0x000000007443E000-0x000000007443F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2868-56-0x0000000000690000-0x00000000006C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2868-57-0x0000000000F00000-0x0000000000F06000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2868-58-0x0000000005840000-0x0000000005E58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2868-59-0x0000000005330000-0x000000000543A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2868-60-0x0000000002BF0000-0x0000000002C02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2868-61-0x0000000002C50000-0x0000000002C8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2868-62-0x0000000005220000-0x000000000526C000-memory.dmp

    Filesize

    304KB

    Download