Overview

overview

10

Static

static

3

57d5ea30e8...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57d5ea30e8afbcea939465c403790fa0085dbd0eff1ac68eaaa7d78b2f59c76d.exe

  • Size

    479KB

  • MD5

    6db0a782f894f25ceecffe88768b39ac

  • SHA1

    aec479646d5910d6650e1a42c298839e86d9f359

  • SHA256

    57d5ea30e8afbcea939465c403790fa0085dbd0eff1ac68eaaa7d78b2f59c76d

  • SHA512

    adea3d90ced418823837aeda81359e1c7b85974de5ce0091d5b9ee7284c26fd53f8efd4c49e1f3ae3d4fd911b6d949cc17295232659333acf3cef005b1b71621

  • SSDEEP

    12288:BMr3y90jQyTQ0qy1dE5wcEimBY5Do4m9:qyAQZ0i1K

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57d5ea30e8afbcea939465c403790fa0085dbd0eff1ac68eaaa7d78b2f59c76d.exe
    "C:\Users\Admin\AppData\Local\Temp\57d5ea30e8afbcea939465c403790fa0085dbd0eff1ac68eaaa7d78b2f59c76d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4322945.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4322945.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9674739.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9674739.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4056875.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4056875.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4322945.exe
    Filesize

    307KB

    MD5

    8ac14995dc38b6605a22863bf8d1d243

    SHA1

    b04fff14f99f55691b5bb0f3e7db79ac65615bd0

    SHA256

    9cf090644a2ce922f9c20353252d4de50335d77233b4ee2071f49a962fc8c00b

    SHA512

    cea9c9041629f4dd92c99d389354fe7d348e7d1753126084fe30440d17a87efcfa920405bb72f5d01cd144118ef6fc36d99d0765ceab1d6c264f57784f045655

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9674739.exe
    Filesize

    180KB

    MD5

    22acedd0c32204ce6545487072bf87a8

    SHA1

    8795f89bf7291499a281e7c50538a31cb0d0964d

    SHA256

    f4acc879a404de7b966d11479a9578c8e5d362f95601f6a00405306da52aefba

    SHA512

    af347a1c917cb4fa4f8dc9dc9c3e6ba91b178f5c713c9c5f77dc42877fb4fbaebc60ddbe6365d52c7bbd58979e3a18d24904468ce4f6ad9c540558e5fd448e63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4056875.exe
    Filesize

    168KB

    MD5

    55e260eb7c221c764cc051916bb52442

    SHA1

    1a0e24cf05a4968c637792856e634c8c461a2d79

    SHA256

    4a90b266a3de831a7e7ad03ac658e055ac051b916a9eff3a4563d0523734ad21

    SHA512

    b6037061190f4e9294bcd2d9b5da30334e1d3cdcbb4b93250e608ae5778839543ab66566512e05ca8c1621bff4f8fac6b79994d61e00b798c3c120ebf510dc23

    Download Submit

  • memory/3556-31-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-50-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3556-16-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3556-18-0x00000000022D0000-0x00000000022E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3556-19-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3556-47-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-25-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-43-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-41-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-39-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-37-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-35-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-33-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-15-0x0000000002120000-0x000000000213A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3556-29-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-27-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-45-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-23-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-21-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-20-0x00000000022D0000-0x00000000022E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3556-48-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3556-49-0x000000007454E000-0x000000007454F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-17-0x0000000004B20000-0x00000000050C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3556-52-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3556-14-0x000000007454E000-0x000000007454F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3984-56-0x00000000009A0000-0x00000000009D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3984-57-0x00000000051C0000-0x00000000051C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3984-58-0x0000000005950000-0x0000000005F68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3984-59-0x0000000005440000-0x000000000554A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3984-60-0x0000000005330000-0x0000000005342000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3984-61-0x0000000005350000-0x000000000538C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3984-62-0x00000000053D0000-0x000000000541C000-memory.dmp

    Filesize

    304KB

    Download