Overview

overview

10

Static

static

3

058034951c...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    058034951c6ea5987018e99d4e708ebaa20db01722a78559674d7da90ce27fdf.exe

  • Size

    974KB

  • MD5

    e383859975f044fd4bc9efaff8ef1a0d

  • SHA1

    e7c0b827f75f1e91d88164e4b85ef58b622f7fe5

  • SHA256

    058034951c6ea5987018e99d4e708ebaa20db01722a78559674d7da90ce27fdf

  • SHA512

    c2d68dfcc97fd77b1a477aac2e114ab36a9ef10c2febd35aa1af65425ea6e43b239719baa3a8722405f544f1d910ccf429936459ecb7d31fb8ffa14b68a3ecb1

  • SSDEEP

    24576:oyzNV9j29B0juCZOA/FoHAgrtUEgu4Ir6rqt7zaG:vBH29B0juCZHbgxku4Iraqtna

Score
10/10
healerredlineronurdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\058034951c6ea5987018e99d4e708ebaa20db01722a78559674d7da90ce27fdf.exe
    "C:\Users\Admin\AppData\Local\Temp\058034951c6ea5987018e99d4e708ebaa20db01722a78559674d7da90ce27fdf.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nuY68qe.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nuY68qe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nic17UQ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nic17UQ.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3396
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlD35pO.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlD35pO.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aJY03Ve.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aJY03Ve.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2800
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1080
              6⤵
              • Program crash
              PID:368
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIM77sr.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIM77sr.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2800 -ip 2800
    1⤵
      PID:1488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nuY68qe.exe
      Filesize

      787KB

      MD5

      5a98c17bb5f504cb9ccfad2f552c9c3b

      SHA1

      8b4f83afcbc0ac3202394139084dfc48b97bdb8d

      SHA256

      3e832012237ac14c497b818670aaa644cde7cadf7464b27cf3f9d384ac5b4b40

      SHA512

      0c3833e0e6b51ba11a29900a2a11ac5ad8f3aef74b84db8553de7868da2cf209403eb2316d91a649800c6bfbd310c4e7bc9338f757d95e72477c322cdab062e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nic17UQ.exe
      Filesize

      642KB

      MD5

      9c1a5f8ddc8f6e26cefb816db9d3abb4

      SHA1

      908622ff32a0fc27032f01ea7c95b9811da62783

      SHA256

      a26dd2c762728d313edf75949bf5449ff2f1a39acbd9665289b20faa5688ba40

      SHA512

      9e70ac3e400649bf0b0f8054cbe98257a9c3d6024708b77540aee5cf3764a814ca90714dbb354e1d87d18acc539505909c5229e3ae5c7e6ded5ce7c8be753657

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlD35pO.exe
      Filesize

      539KB

      MD5

      67f6021281eca801b37e7b41f138c85c

      SHA1

      b5e8fedd357379e7956e6bd170bb41a2379f5376

      SHA256

      d85c5e6fa3b031ab87b9691dbc5526792f8c3d0e4923c2ad5b2cf816d8ffd018

      SHA512

      88086be475b301279f762e9e841afc48a5ecc9088525359c511513efb80e74ee77743515ddb883df2ce2887a5fbbff7ab934152198949062b5e8aa9ffb114977

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aJY03Ve.exe
      Filesize

      255KB

      MD5

      3c0da2b6de2adb899e51f79c7e6a8579

      SHA1

      b3a1bd853d755194038feec5858b81afae5531fe

      SHA256

      f373a90de0291631dcd1d0980db491695c2ddee66281890b2a86184b6120b458

      SHA512

      3881b38bdf3753f33836d936d1808d7ce5ba89702fe3ad7f6260f22594daa050cff1c467b4bd064276bb2d18dd24b644c6f21b6a20cc6fcc33e53f908c92fb5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIM77sr.exe
      Filesize

      314KB

      MD5

      2d118ac5db60c0958003174567c06dca

      SHA1

      e4ef705db00c24b4fb0c01290e5c2b3dc4d237be

      SHA256

      6e8f687bbab68864efc5cf0e3b9f28feeeffec164dadfb920906e72444319ea8

      SHA512

      bd3df4182c769f54cca01e45cf003c13c61ea4e525382d445bd2aecffde5f26a06f547ff200f983f0f5df5bdadda46f4499aff916c6d16165c3703dd92f65060

      Download Submit

    • memory/1724-85-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-102-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-979-0x0000000005B10000-0x0000000005B5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1724-978-0x00000000059C0000-0x00000000059FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1724-977-0x00000000059A0000-0x00000000059B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-976-0x0000000005870000-0x000000000597A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1724-975-0x0000000005210000-0x0000000005828000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1724-69-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-70-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-94-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-98-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-72-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-76-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-100-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-74-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-82-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-78-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-80-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-86-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-88-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-67-0x0000000002710000-0x0000000002756000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1724-68-0x0000000002790000-0x00000000027D4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1724-90-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-92-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1724-96-0x0000000002790000-0x00000000027CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2800-39-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-37-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-33-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-31-0x0000000004C50000-0x0000000004C68000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2800-30-0x0000000004CD0000-0x0000000005274000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2800-62-0x0000000000400000-0x0000000000575000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2800-29-0x00000000022C0000-0x00000000022DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2800-60-0x0000000000400000-0x0000000000575000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2800-32-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-35-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-41-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-43-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-45-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-47-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-49-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-51-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-53-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-56-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-57-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2800-59-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download