Overview

overview

10

Static

static

3

01d18ce3e8...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01d18ce3e859bd48b85b356bcc709242967126e0bf5470ed489c51052a31a07b.exe

  • Size

    479KB

  • MD5

    ef156a99b8defeba0a1daf1e7f434fe8

  • SHA1

    cafc54cb937e8374839c65d1661f8f378b1f422c

  • SHA256

    01d18ce3e859bd48b85b356bcc709242967126e0bf5470ed489c51052a31a07b

  • SHA512

    64cec97f0b29d63b22bd42a16359f1a7d3728ffac24ba63bebcddeab327a51b16b44ae89248d35b6858fb49830ca6c27df3e98bbbc7be34a1ada53f1c7b08b6d

  • SSDEEP

    12288:iMrqy90ekd7P9tx5POZZohVvp0wmt9CYqlPPOn8:cyvuPkZomyzlun8

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01d18ce3e859bd48b85b356bcc709242967126e0bf5470ed489c51052a31a07b.exe
    "C:\Users\Admin\AppData\Local\Temp\01d18ce3e859bd48b85b356bcc709242967126e0bf5470ed489c51052a31a07b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2820370.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2820370.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9535137.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9535137.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2640553.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2640553.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2820370.exe
    Filesize

    307KB

    MD5

    37325f2ebd0db95095a74e73a12dd9ad

    SHA1

    bafa3e6812022e8726f758863b14ae5e4f4e8632

    SHA256

    50c65e0c150486463f28e57fa371fdde08e97d27fa7d299ae9b458f3562636a7

    SHA512

    9804f42533335b93ccdaa0ab61b1b9aa0aaa3013dbb36914eec005f8925bcdc47d0ad0e51904de76ba4875f03eb5440be3b6f1a73710e432b3cde1027d7f4e4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9535137.exe
    Filesize

    180KB

    MD5

    819ee1688963532b86658a70b490479b

    SHA1

    3c04560e599b4b009f51179c2648a717b0f37a3c

    SHA256

    cafb1b361ca829843ada469fb4a554a66fc74ceb792727a5735b5ce518405df9

    SHA512

    b7ad470e5ce6aa0c01fb2c3c6fc6d280744994458f8de679679b5f42ad6db18eca116d51771bed3fdfe2a000cf79c045c3139e67b46e5d558a0aaccf8f3d17c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2640553.exe
    Filesize

    168KB

    MD5

    c944ff863198d103148bb9186625032d

    SHA1

    9bdeae78c21a7f6e52adcbf21d74dae10836fadf

    SHA256

    498b897f18335105bad9765ce9938738f54bd82ca4dfaf163ac222c117fca1e5

    SHA512

    4187cad355da7bdc60ab2dc3b1d36da85d70a2d021b17cce329591b27e202fb9ecc71bd35c397980d0ee70c2f15f6a82e65d0a093c91e9567303f2331748e909

    Download Submit

  • memory/3100-62-0x0000000005960000-0x00000000059AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3100-61-0x00000000058E0000-0x000000000591C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3100-60-0x00000000058C0000-0x00000000058D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3100-59-0x00000000059D0000-0x0000000005ADA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3100-58-0x0000000005EE0000-0x00000000064F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3100-57-0x0000000005750000-0x0000000005756000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3100-56-0x0000000000F30000-0x0000000000F60000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4544-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-48-0x0000000074530000-0x0000000074CE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-47-0x0000000074530000-0x0000000074CE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-49-0x000000007453E000-0x000000007453F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4544-50-0x0000000074530000-0x0000000074CE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-52-0x0000000074530000-0x0000000074CE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4544-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4544-16-0x0000000074530000-0x0000000074CE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-17-0x0000000004B80000-0x0000000005124000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4544-15-0x0000000002190000-0x00000000021AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4544-14-0x000000007453E000-0x000000007453F000-memory.dmp

    Filesize

    4KB

    Download