Overview

overview

10

Static

static

3

f921bf5f93...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe

  • Size

    539KB

  • MD5

    092f2e02c114e3343185de3ca6c94b9b

  • SHA1

    f20ba641f5d76c20f3144549ef1efedaf297e782

  • SHA256

    f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124

  • SHA512

    e9a9fd40de5f787f483201ef0ded0af87824fdeaef4bd728e8d7f9328aed0efdcc32f344d857019e1027fd708b43054f4627cc02f9c91145728101fb42464173

  • SSDEEP

    12288:wMrIy90stdgHPj4Mtzk7+h29GYYxOI4+6CLLU4zl0SgqJjI:oyNq4M9k7+h+GYInJHU9dAjI

Score
10/10
healerredlinedowndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe
    "C:\Users\Admin\AppData\Local\Temp\f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
    Filesize

    397KB

    MD5

    4d2a905a143206c91e6e3f06f851727a

    SHA1

    ccd782512b550fa3dce9968817dfa13177f4d479

    SHA256

    abebb88703fd0eadcdcce5e9a19d6564ef16d9dfc1d7dd80da0f9520451aba30

    SHA512

    933c94b5a5e3922ba21bb278df36527d0b9e0dbe7c457315b4d564d0baef307b0286f28f6859b192f1bd676b97f182cea99a4d68366d781d59de3c3c23d44e70

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
    Filesize

    355KB

    MD5

    5106c90c14027fbb8e7065d57f65d8cd

    SHA1

    f1ed7ace126748aef10470c7239c5c49e6bfb141

    SHA256

    6f20343a9b9026219f997e6091541d325a9ef57b59c9ace9653cc6fc8b3692e2

    SHA512

    a3f4668ae85044c1d48233736a15dd9c595fc53f67dbe7d86ecd9e0cfd127f0808c652e0bbf6b744821334da9870ce8c7aca3128735208d9b25cc27a95672fdd

    Download Submit

  • memory/4844-14-0x00007FFBE8933000-0x00007FFBE8935000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4844-15-0x0000000000C90000-0x0000000000C9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4844-16-0x00007FFBE8933000-0x00007FFBE8935000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4884-58-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-46-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-24-0x00000000072A0000-0x00000000072E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4884-62-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-66-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-86-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-84-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-83-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-80-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-78-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-76-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-74-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-72-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-70-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-64-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-60-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-22-0x00000000071B0000-0x00000000071F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4884-56-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-54-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-52-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-50-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-23-0x0000000007310000-0x00000000078B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4884-44-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-42-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-40-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-36-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-88-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-68-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-48-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-38-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-34-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-32-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-30-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-28-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-26-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-25-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4884-931-0x0000000007900000-0x0000000007F18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4884-932-0x0000000007FA0000-0x00000000080AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4884-933-0x00000000080E0000-0x00000000080F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4884-934-0x0000000008100000-0x000000000813C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4884-935-0x0000000008250000-0x000000000829C000-memory.dmp

    Filesize

    304KB

    Download