Overview

overview

10

Static

static

3

0eec9b78d8...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0eec9b78d815f957670b575871f5410c455c61b2a74313e50fcdff77d14054f6.exe

  • Size

    560KB

  • MD5

    2b1efdb54acdceda861529484924b151

  • SHA1

    296413a349f4db16b519cf5acf7bc851be3f37eb

  • SHA256

    0eec9b78d815f957670b575871f5410c455c61b2a74313e50fcdff77d14054f6

  • SHA512

    13a0d02dcddacb00f2269055f046f3e89aaa545991d949683278d1ea6282695ea48245658c06437ec9a886c1e7fb0af629c6fa4ae9ee4e99a5c73593b26024ad

  • SSDEEP

    12288:BMrYy90XdBwxFuOla1mvFI77DSD4y9bd5YsxXxKpic:JyQ/whNI77DSDL9bn9lun

Score
10/10
healerredlinefuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0eec9b78d815f957670b575871f5410c455c61b2a74313e50fcdff77d14054f6.exe
    "C:\Users\Admin\AppData\Local\Temp\0eec9b78d815f957670b575871f5410c455c61b2a74313e50fcdff77d14054f6.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhTV3764Kt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhTV3764Kt.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf90VQ57yH83.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf90VQ57yH83.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4784
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf53HJ65gn18.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf53HJ65gn18.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhTV3764Kt.exe
    Filesize

    416KB

    MD5

    c9668beeae60d68e4056944d6b333195

    SHA1

    b9a6b953960929b5f2f5d58a421658665ac393dc

    SHA256

    deee170585ed8e17a110a4434aa4941a2bb4985c5f411196f74f7565e7af617d

    SHA512

    3fb63bd2791d8f9fc133e1879559d53fba9568aff419f9dc348291d3330a49b0768c77177996b6b7a2b59077fc1c446a6947eabd1c2c9af7251a6000f7c11b4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf90VQ57yH83.exe
    Filesize

    11KB

    MD5

    ce4af9f1dbc4522cadd23ca8d69a827c

    SHA1

    2b7ac155af8c4e9fc76cfb97ce2799c4ed3f5248

    SHA256

    62865b2ad238ff03423c26b040b0d0c5729aedf81f21333e4e89277c46988c76

    SHA512

    b285c6471a134af607679e255896d047b1c72b13de49ae880fa9e6617524c1c41ac4556129a305149bb8a019766d30b6f2a624a7069741d3f1db85ead4cf6332

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf53HJ65gn18.exe
    Filesize

    416KB

    MD5

    3298bce398b0b8db15538825fc22ec70

    SHA1

    97382a7c1ec70bd6549554c69ae3a8b18daddc9c

    SHA256

    c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd

    SHA512

    4bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737

    Download Submit

  • memory/2020-62-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-34-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-935-0x00000000082A0000-0x00000000082EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2020-22-0x0000000007290000-0x00000000072D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2020-23-0x00000000073A0000-0x0000000007944000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2020-24-0x0000000007310000-0x0000000007354000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2020-28-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-40-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-88-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-84-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-82-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-81-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-78-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-76-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-74-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-72-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-70-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-68-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-66-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-934-0x0000000008150000-0x000000000818C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2020-56-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-933-0x0000000008130000-0x0000000008142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2020-58-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-54-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-52-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-50-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-48-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-44-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-42-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-38-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-36-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-60-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-32-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-30-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-86-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-64-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-46-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-26-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-25-0x0000000007310000-0x000000000734E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2020-931-0x0000000007950000-0x0000000007F68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2020-932-0x0000000007FF0000-0x00000000080FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4784-16-0x00007FFE30163000-0x00007FFE30165000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4784-14-0x00007FFE30163000-0x00007FFE30165000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4784-15-0x0000000000550000-0x000000000055A000-memory.dmp

    Filesize

    40KB

    Download