Overview

overview

10

Static

static

3

fdd9871062...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdd9871062d3349f518cb095fb05589d665e3654742d0aa789e193abc9862ee8.exe

  • Size

    686KB

  • MD5

    853d11ba9669b817fee51d64fc3f2287

  • SHA1

    3b10d4bce1c5260f12bb7d60d5cc30a125d4799f

  • SHA256

    fdd9871062d3349f518cb095fb05589d665e3654742d0aa789e193abc9862ee8

  • SHA512

    c9184ac193d5c36dadc17e22427b4f8bd7571e8aba61b4f141261498ae47bfd5ef37ca9c79537a3ed52906226714f4099fd343628ccbb749962b242d076e7c00

  • SSDEEP

    12288:jMrvy90PiIRl+sHGX6yjC30R5qdKFMRREUKnuXt/7A:UyzIJHGRjC050WOREZuXl7A

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdd9871062d3349f518cb095fb05589d665e3654742d0aa789e193abc9862ee8.exe
    "C:\Users\Admin\AppData\Local\Temp\fdd9871062d3349f518cb095fb05589d665e3654742d0aa789e193abc9862ee8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un953697.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un953697.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7200.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7200.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1060
          4⤵
          • Program crash
          PID:1432
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9568.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9568.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3200 -ip 3200
    1⤵
      PID:4044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un953697.exe
      Filesize

      545KB

      MD5

      eb94dc1c5f4a530c0914bc31621e4a99

      SHA1

      19888fa757451d1e2832ba252a3a93c993851f22

      SHA256

      b261dc7bbc328053f216c22b859cfe8ce73f04d8b27707c315eee12ea424e32e

      SHA512

      c8b614da815358c807fd60308213c584c933418aa03648671918ba112ce9551b14f9a567e6b58f9e7ca113f544f1cf55c52004c2c2ec0564cf51f7b185b95fa1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7200.exe
      Filesize

      321KB

      MD5

      2009eaf3d589b5cc00e030555a9ef4e7

      SHA1

      036750a9b52e32d3aed5f3f0fd0a2b03d3e3d471

      SHA256

      83d1b1ee1990772e19cd001401ca731927b34fa724e24f5a606e9c4da2ada513

      SHA512

      96ce39c6929e194f6bd196eed25f313ca6a652a0fcff39e99dbc010e0f53cea777e982779365b5e8e5b94bfba3f93f06a7653274164b6faf2404b233480bb429

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9568.exe
      Filesize

      380KB

      MD5

      b29f093898a4814600d5258782d91db2

      SHA1

      661aae1232aaf987e39b8a603e2e5f715168af3b

      SHA256

      7e910e74e1f857627d8cde1d2244793882c1a29dbbbe3528c355dfe569841b81

      SHA512

      8cb848170ea09df9bebe958488ba85aec86d8f63fbecee94bea2db0c5bca86c5f3ddec966f1150ca9d2a9544b2fcb031ef1e94683217958f7a4039042e9ba800

      Download Submit

    • memory/2772-71-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-77-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-969-0x0000000007290000-0x000000000739A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2772-968-0x00000000079A0000-0x0000000007FB8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2772-62-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-63-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-65-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-95-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-67-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-69-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2772-972-0x0000000008110000-0x000000000815C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2772-73-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-970-0x00000000073C0000-0x00000000073D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-79-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-81-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-83-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-85-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-87-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-89-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-91-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-93-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-75-0x0000000004C00000-0x0000000004C3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2772-61-0x0000000004C00000-0x0000000004C44000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2772-60-0x0000000004740000-0x0000000004786000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3200-40-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/3200-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3200-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/3200-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3200-50-0x0000000002C60000-0x0000000002C8D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3200-49-0x0000000002D20000-0x0000000002E20000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3200-21-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-24-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-26-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-28-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-30-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-32-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-34-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-36-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-38-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-42-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-44-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-46-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-48-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-22-0x0000000004C20000-0x0000000004C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3200-20-0x0000000004C20000-0x0000000004C38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3200-19-0x00000000072B0000-0x0000000007854000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3200-18-0x0000000004820000-0x000000000483A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3200-16-0x0000000002C60000-0x0000000002C8D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3200-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3200-15-0x0000000002D20000-0x0000000002E20000-memory.dmp

      Filesize

      1024KB

      Download