Overview

overview

10

Static

static

3

d9fba39382...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9fba3938215612fe8c0fa721b0abad9535077af7e2649a82f1f1824a7488699.exe

  • Size

    683KB

  • MD5

    a030ff86dde36cba574ca3f83123f019

  • SHA1

    17be17049f917bae8a206175af2fe3ba1e29347b

  • SHA256

    d9fba3938215612fe8c0fa721b0abad9535077af7e2649a82f1f1824a7488699

  • SHA512

    6548a8dcd67d101107a0e46df4c4aaca6488bbeafb9ba3deca630e1c6e61adab2ce0633fa94cb651d8e260157122f5e9be347e2fb03b0f93f74e08d7e5ba3093

  • SSDEEP

    12288:EMrqy90OTWtXC/NNfvRHPOqWXwG+UqMYG3seNwAyWRqAc4tEl:OyLq0NNfv5mqWXcYiARRqAc46l

Score
10/10
healerredlinesonydiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9fba3938215612fe8c0fa721b0abad9535077af7e2649a82f1f1824a7488699.exe
    "C:\Users\Admin\AppData\Local\Temp\d9fba3938215612fe8c0fa721b0abad9535077af7e2649a82f1f1824a7488699.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723059.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723059.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1666.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1666.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6295.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6295.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723059.exe
    Filesize

    541KB

    MD5

    10b732b3fa4ebb717b27d595eb610ef1

    SHA1

    4f6bc1c938a0a7c1ae4bf0a70eea6aa68ed7aeca

    SHA256

    7e771faa60c31f63d4e09a0ea97f3172a8e88722de65dbf2f5f3078263253281

    SHA512

    b828e1504ef102dbce4abdfccac54e5ec9aba64ebf4a9ad839e8c22bb78e2c9b54deb8db5db6c24f9bec275e5debf8391027d2aa191c8c48e4d9829f8848146b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1666.exe
    Filesize

    322KB

    MD5

    d8145143160f8b068d6fcf7e69d56b1a

    SHA1

    253ce4c0fc9f01cbb91e27308c1e8bebe57987b3

    SHA256

    a7bccee8157d7739190295bf131dbe2c9bf87e6bc2e47fb43626b1ad62a7c043

    SHA512

    207b8bd47f90b48a8e5ddc218952866dc5fba4d422fd43b619a2e3c0d24ed3a9dc1fe25d039d24e5bef3a62d87760a6b13d8efc3a97ac4b6d9d5564d4351700c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6295.exe
    Filesize

    379KB

    MD5

    857a6a4d808a113398da0300876c9878

    SHA1

    083c748490b6a186c66436d0c66f30ff5f8e4857

    SHA256

    03144c478550ef5f7bfcade615ccc97406a2934f5a9ee750d28395502a985334

    SHA512

    59d817d79e89ea1e04257e3e5ab38547c68beb97c5f30ffdc82ffaea603f33a94e4f2934d1c9055e38db6c3b86f60a4eacbf0aba306b640adac0af9237656529

    Download Submit

  • memory/2596-16-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2596-15-0x0000000002D60000-0x0000000002E60000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2596-17-0x00000000048B0000-0x00000000048CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2596-18-0x0000000007180000-0x0000000007724000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2596-19-0x0000000004940000-0x0000000004958000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2596-20-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/2596-30-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-48-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-46-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-44-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-42-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-40-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-38-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-36-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-34-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-28-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-26-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-32-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-22-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-21-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-24-0x0000000004940000-0x0000000004952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2596-49-0x0000000002D60000-0x0000000002E60000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2596-50-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2596-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/2596-53-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/2596-54-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4912-59-0x0000000004C80000-0x0000000004CC6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4912-60-0x0000000007740000-0x0000000007784000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4912-73-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-80-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-92-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-90-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-88-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-86-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-85-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-78-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-76-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-74-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-70-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-68-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-66-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-95-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-83-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-64-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-62-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-61-0x0000000007740000-0x000000000777E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4912-967-0x00000000077C0000-0x0000000007DD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4912-968-0x0000000007E60000-0x0000000007F6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4912-969-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4912-970-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4912-971-0x0000000008110000-0x000000000815C000-memory.dmp

    Filesize

    304KB

    Download