Overview

overview

10

Static

static

3

df4004f768...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df4004f768b397546dc74b1058c3e449fbbdeb9ccae75eb874ed6c9e6b2c07d3.exe

  • Size

    479KB

  • MD5

    9993e7b9a497f985a6a81c7855cdbe6f

  • SHA1

    8b40cfe068ec6fbdd0316473cf53058a6cd27d83

  • SHA256

    df4004f768b397546dc74b1058c3e449fbbdeb9ccae75eb874ed6c9e6b2c07d3

  • SHA512

    896dbe0d35e3a6a244f2ccb4f66f0957a05fb337c4dcfd55465b0ea7958bd4401a3d559a50140738d564162a8b3ba64b09b797b2680f1d6bd4f76b4ed1668fd6

  • SSDEEP

    12288:SMrRy90BopDffiBR0Oe7oZhqPpCNa3TUX8OZCU:by5RfKcx7oisa3QaU

Score
10/10
healerredlinemaherdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maher

C2

217.196.96.101:4132

Attributes
  • auth_value

    c57763165f68aabcf4874e661a1ffbac

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df4004f768b397546dc74b1058c3e449fbbdeb9ccae75eb874ed6c9e6b2c07d3.exe
    "C:\Users\Admin\AppData\Local\Temp\df4004f768b397546dc74b1058c3e449fbbdeb9ccae75eb874ed6c9e6b2c07d3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1687262.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1687262.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4973685.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4973685.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4670310.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4670310.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1687262.exe
    Filesize

    307KB

    MD5

    a4201652ee64af8b8f89ed5ae05a35cd

    SHA1

    969712202991441fef4db3653ea2135daa5c5bd5

    SHA256

    99364d23259cb966fd0274574f30382f6f497092b08e753a5fbd668c934061b5

    SHA512

    6cf24676fe7222245f3eabf320f70075e31f50f196ebb5cee9fe7337e7c185d303efb26ec0955120e7e563523ac58a4aa1c3ae8900c11f1cafb3f12e7d05e278

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4973685.exe
    Filesize

    179KB

    MD5

    164b6bd09dd76bff26faa7ab75cfc45c

    SHA1

    c75246b32d15e14fbca1c4f5824eba9b06ae071c

    SHA256

    d52d60b0ae7e90065fead12ead99e9405b4c5663202bb4d7bdff9a0c65ee30bd

    SHA512

    41619ec30ebe6cf67ca66dd6d3936bf0bb7437764e04ceafa57821b21c2721131815dbf9b43651bca3d0b3407c5b37725972adbf87c9c5964b434b513bbe763f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4670310.exe
    Filesize

    168KB

    MD5

    b161a0aea7048bf858d18751efbd834d

    SHA1

    05ce5c9f10c012c387a38736b89d8e703a23b428

    SHA256

    17c969ad99fe76916d99873f812030a2063378899eb35c6d2f497215814e12ca

    SHA512

    89d3a2d0c0002fd3516164314c7ef907caa7a82dd4d7c9ff198836a3537d9f0156040d4119acaacd4e015c4559145c24a3f79f801f34428ff15d4012676c7179

    Download Submit

  • memory/1944-62-0x0000000005530000-0x000000000557C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1944-61-0x00000000053B0000-0x00000000053EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-60-0x0000000005350000-0x0000000005362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1944-59-0x0000000005420000-0x000000000552A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1944-58-0x0000000005900000-0x0000000005F18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1944-57-0x0000000002B40000-0x0000000002B46000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1944-56-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4804-31-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-48-0x0000000074290000-0x0000000074A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4804-39-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-37-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-35-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-33-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-43-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-29-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-27-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-25-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-23-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-21-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-20-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-41-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-49-0x000000007429E000-0x000000007429F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4804-50-0x0000000074290000-0x0000000074A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4804-52-0x0000000074290000-0x0000000074A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4804-45-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-47-0x0000000002590000-0x00000000025A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4804-19-0x0000000074290000-0x0000000074A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4804-18-0x0000000002590000-0x00000000025A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4804-17-0x0000000004B30000-0x00000000050D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4804-16-0x0000000074290000-0x0000000074A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4804-15-0x0000000002400000-0x000000000241A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4804-14-0x000000007429E000-0x000000007429F000-memory.dmp

    Filesize

    4KB

    Download