Overview

overview

10

Static

static

3

a1ed298695...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1ed29869568ed1630c15caf55bf27837ad263ab2a67cf764cb4f9e1b91ede87.exe

  • Size

    479KB

  • MD5

    6c45902e0dc615f5e20e1085a91d3a1d

  • SHA1

    f058cdcab4cfaea29c7f609882005be1a913f575

  • SHA256

    a1ed29869568ed1630c15caf55bf27837ad263ab2a67cf764cb4f9e1b91ede87

  • SHA512

    c1e98cb2e49fbec0603f9f13e9b6ab03473c1d09067b1b630ec51f34e6f542a8f2a8d14ffa27afeccc6fd5145f45e9aac55f390929ebd6efbe1cc8195399991b

  • SSDEEP

    12288:qMrIy90XpTOamFlzIm+9c5c1u31tTmWd1f21wktCInkWIzDY55h84a:+y0pTvmDucXPTxd1owk2zDY58P

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1ed29869568ed1630c15caf55bf27837ad263ab2a67cf764cb4f9e1b91ede87.exe
    "C:\Users\Admin\AppData\Local\Temp\a1ed29869568ed1630c15caf55bf27837ad263ab2a67cf764cb4f9e1b91ede87.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9590467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9590467.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1653349.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1653349.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4320
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2241688.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2241688.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9590467.exe
    Filesize

    307KB

    MD5

    63e455fd2cfd546f95a1c7ca576e28cd

    SHA1

    37dd534f1f0e14ebcefa02b89a30dd6ece6fca38

    SHA256

    9f72edf0d6730a161049a9797af49e2046e1b86567c9ab5065ecae1ace984662

    SHA512

    c5582356e67c25728eb2de9bf4b54d9c9407f0842363cf8a9c8e4bbae0a3d4d80560265141b70d6802c2ba089d9f309bd18bb91b371c2af471a1f9e9d953bdc0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1653349.exe
    Filesize

    180KB

    MD5

    65cc207f2635584c07f76fd33dbc6afe

    SHA1

    86b1a21ea17ac5a82597d70c91033c10bd06e9d8

    SHA256

    7f8bc8dc2dbebb3343a3de5aa069c5e367f2eba650eb669e2e4250c510a46cfa

    SHA512

    3a1767b4fd30ebb933d35e95230600836c99a374873c74cc7cd1dfb244c0cb71dcbc9885a84fc72fd86d3d9b928a05222bb1d7ed691098712447e0117b8e2ee3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2241688.exe
    Filesize

    168KB

    MD5

    5b21fa7ad3fff19bdb30c6a2332ead5d

    SHA1

    ee941ddfbbba03dc1191272cbee82ef646f7bff0

    SHA256

    25126b80f7b6211882b858ba331160564f5166d9cdb9f9406d9a559e5e8e88ab

    SHA512

    9e2823f06436499ecc2cce2f0fe29bcce55703316251f0e9196c6422f9414d47042adb064e4a566e44f6cceb6adbe6bae8429cbec8f830e73b04750f3e43ffc8

    Download Submit

  • memory/1032-62-0x0000000005230000-0x000000000527C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1032-61-0x00000000050B0000-0x00000000050EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1032-60-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1032-59-0x0000000005120000-0x000000000522A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1032-58-0x0000000005600000-0x0000000005C18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1032-57-0x0000000002820000-0x0000000002826000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1032-56-0x0000000000590000-0x00000000005C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4320-34-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-21-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-42-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-40-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-38-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-36-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-46-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-32-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-30-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-28-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-26-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-24-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-22-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-44-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-49-0x0000000073C6E000-0x0000000073C6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4320-50-0x0000000073C60000-0x0000000074410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4320-52-0x0000000073C60000-0x0000000074410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4320-48-0x00000000023B0000-0x00000000023C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4320-20-0x0000000073C60000-0x0000000074410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4320-19-0x0000000073C60000-0x0000000074410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4320-18-0x00000000023B0000-0x00000000023C8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4320-17-0x0000000004B00000-0x00000000050A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4320-16-0x0000000073C60000-0x0000000074410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4320-15-0x00000000022C0000-0x00000000022DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4320-14-0x0000000073C6E000-0x0000000073C6F000-memory.dmp

    Filesize

    4KB

    Download