Overview

overview

10

Static

static

3

9a003bb841...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a003bb8413be27626963e886326cbea7a4fd7ef693648c59a881e6b277ac119.exe

  • Size

    477KB

  • MD5

    aa7b3fe90b2d477b5db2afa25388554d

  • SHA1

    67da7669d32ada781633e2e347f369ad090b1dbb

  • SHA256

    9a003bb8413be27626963e886326cbea7a4fd7ef693648c59a881e6b277ac119

  • SHA512

    f7bd5c45583545edd171bfcf91ebef189d8f101851e8f22966b565aaf78551d7be560742908f43252659c98fa31d30888662a80ccdbfa5e7a190a61009da2f0f

  • SSDEEP

    6144:KCy+bnr+vp0yN90QE3PKapC3UBzsDY+4CbYfIHSkY7Vt19IqoAHNxb0K48rVBhSc:KMr3y90kapxAXSkWV7GT24YKs

Score
10/10
healerredlinefusadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a003bb8413be27626963e886326cbea7a4fd7ef693648c59a881e6b277ac119.exe
    "C:\Users\Admin\AppData\Local\Temp\9a003bb8413be27626963e886326cbea7a4fd7ef693648c59a881e6b277ac119.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niU17lL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niU17lL.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBf74SI.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBf74SI.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1084
          4⤵
          • Program crash
          PID:3488
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dkI93iR.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dkI93iR.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3832
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1160 -ip 1160
    1⤵
      PID:3360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niU17lL.exe
      Filesize

      374KB

      MD5

      83679410574c7ae0bea6b8649e51328c

      SHA1

      ab3199f7b73585287c30d44ccdf2ba931f9da2b9

      SHA256

      0b8d1c563b76d61ad0a975153aa2fcd58df6db8a31f6ec93a10a300ed20215f2

      SHA512

      d4d9340228b481178b15dba1dc11b10769130bc1d1316a3d1f696836194f921308d0772f22336a178b8c0526be5ffbe8e12ee35d0114d22566960198e94c1104

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBf74SI.exe
      Filesize

      235KB

      MD5

      10ebdbd3b97101647f579e816a624c0b

      SHA1

      504e3a11a4ae58dbf156627cee7f49e89502d489

      SHA256

      0eae82f040db8b8af792d3e005b0486093320f12601be24065e7e5569e1f8c2c

      SHA512

      75d837bf685f529671c3be97702956de890d2a3c9f61f81c51a569363c6bedcbe367e5381f9636c78d5e96b286b77bcc8927fad4490517c80b30652ec67ec392

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dkI93iR.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • memory/1160-33-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-29-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-18-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1160-19-0x0000000000880000-0x000000000089A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1160-20-0x0000000004BA0000-0x0000000005144000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1160-21-0x0000000002670000-0x0000000002688000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1160-22-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-43-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-49-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-47-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-45-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-41-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-39-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-37-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-35-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-16-0x0000000000640000-0x000000000066D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1160-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1160-27-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-31-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-25-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-23-0x0000000002670000-0x0000000002682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1160-50-0x00000000008A0000-0x00000000009A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1160-51-0x0000000000640000-0x000000000066D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1160-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1160-55-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1160-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1160-15-0x00000000008A0000-0x00000000009A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3832-60-0x0000000000D70000-0x0000000000DA2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3832-61-0x0000000005B90000-0x00000000061A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3832-62-0x0000000005710000-0x000000000581A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3832-63-0x0000000005660000-0x0000000005672000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3832-64-0x00000000056C0000-0x00000000056FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3832-65-0x0000000005820000-0x000000000586C000-memory.dmp

      Filesize

      304KB

      Download