Overview

overview

10

Static

static

3

a026766f42...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a026766f423af3b3e0cdc4e79eca3380c421fc0f2bc78a4335b5497deb9e598f.exe

  • Size

    689KB

  • MD5

    190ab995e582da87e0e0752c3d973b24

  • SHA1

    be56b18b3e12a889d16aba5a96b8806c949994ea

  • SHA256

    a026766f423af3b3e0cdc4e79eca3380c421fc0f2bc78a4335b5497deb9e598f

  • SHA512

    01caa3ff93882a80a8eeb7653361b2d435af70f6b716e0dff9f7988273c20cd03127376c445cb932f8bec31976f591b301fd574aaa84c8293076a6e3dee5f53b

  • SSDEEP

    12288:NMr0y90ilvz4WXjgMvmtVzzGqIiVVmOTSxniygaGkQVEq843x9YMSKblPRugA:NyRlv0WXcMvmtoum/xniHHZ84h2Mf5JO

Score
10/10
healerredlineborisdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a026766f423af3b3e0cdc4e79eca3380c421fc0f2bc78a4335b5497deb9e598f.exe
    "C:\Users\Admin\AppData\Local\Temp\a026766f423af3b3e0cdc4e79eca3380c421fc0f2bc78a4335b5497deb9e598f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3537.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3537.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9313.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9313.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1040
          4⤵
          • Program crash
          PID:4104
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1928.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1928.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5020
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2012 -ip 2012
    1⤵
      PID:4100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3537.exe
      Filesize

      547KB

      MD5

      db6bc4f9fab1b62c6399c7833b823faf

      SHA1

      de0d524177ac62d1aa0580fe1bdd7d4a95c198fe

      SHA256

      296e0da2df9169c2f4bda2448eac3060886f4b97068a0b0cdd9764202f0d09e0

      SHA512

      a830a04e7ad86428c8d57d020d734674c0456c95660e4aed297a0deb6139a2f4b905690a9402c51cf4455ed96f7164ef7f1593b17db5fd7b63ad9513bc6c0a44

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9313.exe
      Filesize

      329KB

      MD5

      3726ee3edb8e765b548f8aa0ec022260

      SHA1

      aea8d2f8080c5047888eee8217bf77de873a5140

      SHA256

      758ab55449771321cfbab28ab8c991cdc11d50d57fabd4a51692eb556c555436

      SHA512

      1bb2a3a1b0f56842a8b70e576fe739e79e078eaefac1ef5c3a030d32fb55ea683e1cb07b8a5e8cc52e9a6e0fdd9867cae16a1ec16c05b549bdc6f4a04b56d1d5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1928.exe
      Filesize

      386KB

      MD5

      af70871c5c84242238e147fd16e974ee

      SHA1

      6bea49bdf7aa72f94f6285e91e5e93e11ca93fda

      SHA256

      699adb91f64d9f2be1ab44e89fb74d33b40b260dfd80e3604777beacf49922a9

      SHA512

      74470e543c51344867c3f70afeac91eee1afa9ade818130ed107fe837ea93de2a8a3ad47bb710426a2a1b9b0cc44da2d7f7c002c7c2cdf340f0cfa22361c2552

      Download Submit

    • memory/2012-15-0x0000000002BB0000-0x0000000002CB0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2012-16-0x0000000002B80000-0x0000000002BAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2012-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2012-18-0x0000000004840000-0x000000000485A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2012-19-0x0000000007370000-0x0000000007914000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2012-20-0x0000000004910000-0x0000000004928000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2012-48-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-46-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-44-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-42-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-40-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-38-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-37-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-34-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-33-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-30-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-28-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-26-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-24-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-22-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-21-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2012-49-0x0000000002BB0000-0x0000000002CB0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2012-50-0x0000000002B80000-0x0000000002BAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2012-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2012-51-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/2012-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2012-54-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/5020-60-0x0000000004C90000-0x0000000004CD6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/5020-61-0x00000000071A0000-0x00000000071E4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5020-85-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-79-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-95-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-91-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-89-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-87-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-83-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-82-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-93-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-77-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-75-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-73-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-71-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-69-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-67-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-65-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-63-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-62-0x00000000071A0000-0x00000000071DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/5020-968-0x0000000007840000-0x0000000007E58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5020-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5020-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5020-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5020-972-0x0000000008110000-0x000000000815C000-memory.dmp

      Filesize

      304KB

      Download