Overview

overview

10

Static

static

3

aa21e3a7bc...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 06:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa21e3a7bcb0682e9a0ac499ac7bc14f5f5c6efb9d20f8d7565b2994acd47e07.exe

  • Size

    479KB

  • MD5

    3d014232b3745d351c387b6e5ae04096

  • SHA1

    64683c6c2715783d067f50b0c3fd1d97d243224a

  • SHA256

    aa21e3a7bcb0682e9a0ac499ac7bc14f5f5c6efb9d20f8d7565b2994acd47e07

  • SHA512

    7aa89840f634cd54e91d618d86db30b30a1b0891ad3cffcaae86cbba92e4dd705a4562aaadc7362248f01464762b52b44a5aa5539038967995dcb1b7d444b01b

  • SSDEEP

    12288:VMrdy90E5whS/hiZUyi/LwJSCykLF8fTQU:oyH7/hyKWtVLFUt

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa21e3a7bcb0682e9a0ac499ac7bc14f5f5c6efb9d20f8d7565b2994acd47e07.exe
    "C:\Users\Admin\AppData\Local\Temp\aa21e3a7bcb0682e9a0ac499ac7bc14f5f5c6efb9d20f8d7565b2994acd47e07.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8093022.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8093022.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3273516.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3273516.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8233924.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8233924.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8093022.exe
    Filesize

    307KB

    MD5

    9b2f09316d23396324d970184ce0fcbb

    SHA1

    59d80900da58a0c6019a26858f0ffdf1b4945166

    SHA256

    d9cbe3e268a283dde07622531e52a6ac964f9759d142d44a6df087d2388c43f4

    SHA512

    2f5e7ebb96b18ea6aaa3d70c451325b4e1eb4db95cb4df730075fb339ba599edc8857acf1fec5d2b7864a69002f7d70fec0dde268f5962c3e5362677b0915b9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3273516.exe
    Filesize

    180KB

    MD5

    db0cbe6826f392cc566c78a1542555ab

    SHA1

    8b5a64eca46bcc228bd6c9d1745812bdb58f8add

    SHA256

    dfc24ae950db18794141dcffba8f195ea5a318b05de5633a894a359198491e9a

    SHA512

    22b9d9c65e5306bd8d1fb51138653075fdaa4fa0e0fb79bdf0b304929ff891ec2af11655bd53fbaf256ad7545ea256668677f715aaca4ccaacf8fb5b776737d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8233924.exe
    Filesize

    168KB

    MD5

    d783fe39c9dffee36e90af4302a3abb4

    SHA1

    acd3dcaefb764486f15091566e1157d355f9bc43

    SHA256

    967b508bd9bcc9dc535c0e579dd2c89b02967c681646179adf06ab4bfe5294b6

    SHA512

    58b5bd5c0b72a87d5f6201ca3565e9fd57dff9d7032178770758be4541d90f0233cb986071b210ff4d1bcad6d0daa6e31c80db1c5ec61de2db54e4b3add6db46

    Download Submit

  • memory/2932-62-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2932-61-0x000000000AA80000-0x000000000AABC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2932-60-0x000000000AA20000-0x000000000AA32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2932-59-0x000000000AAF0000-0x000000000ABFA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2932-58-0x000000000B000000-0x000000000B618000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2932-57-0x0000000001240000-0x0000000001246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2932-56-0x0000000000B40000-0x0000000000B70000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4924-30-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-48-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4924-42-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-40-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-38-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-36-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-46-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-28-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-26-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-24-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-22-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-20-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-19-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-44-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-49-0x00000000747CE000-0x00000000747CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4924-50-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4924-52-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4924-47-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4924-34-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-32-0x0000000002130000-0x0000000002142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-18-0x0000000002130000-0x0000000002148000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4924-17-0x0000000004BB0000-0x0000000005154000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4924-16-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4924-15-0x0000000002060000-0x000000000207A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4924-14-0x00000000747CE000-0x00000000747CF000-memory.dmp

    Filesize

    4KB

    Download