Overview

overview

10

Static

static

3

563999ad1d...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    563999ad1d63f5ffc2ade68f8f880679b697da49df558805ba87f7a57d54f17b.exe

  • Size

    1.1MB

  • MD5

    5d5cf5535b98336f45e26555b064230c

  • SHA1

    a0571bb3d640c3f1703a30015d340dc74f1a7f66

  • SHA256

    563999ad1d63f5ffc2ade68f8f880679b697da49df558805ba87f7a57d54f17b

  • SHA512

    10bc2839acdb7572e481753a847795fe2871788ea3760029d3b2c853b3a1f6186be27dd835d750de6924a32ef69e3ec24d6faeb740ffb33a1e0b16ffdf47ce3f

  • SSDEEP

    24576:AyK17wd8xQ5XYOukcYbMQ4giz673oHkNRg2wiSc:HKBwdcZ6t4gs67X7gnT

Score
10/10
healerredlinerumfadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\563999ad1d63f5ffc2ade68f8f880679b697da49df558805ba87f7a57d54f17b.exe
    "C:\Users\Admin\AppData\Local\Temp\563999ad1d63f5ffc2ade68f8f880679b697da49df558805ba87f7a57d54f17b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plFP21mJ58.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plFP21mJ58.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plft68hw29.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plft68hw29.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllA88vD61.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllA88vD61.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3384
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plVv37Ie23.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plVv37Ie23.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3520
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buWA24mJ39.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buWA24mJ39.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3244
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caSu76AF90.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caSu76AF90.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1380
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plFP21mJ58.exe
    Filesize

    1003KB

    MD5

    056bf3335420403056d8f5ce4f3b80ae

    SHA1

    bd84e50425a90cb92e5bc6755bc6c204c7dbad68

    SHA256

    e967e964b0efc7ba43b13e1d256ea837cb2bcc29250bf5dc46ca9acbc46c2fea

    SHA512

    52472cfcbfd78dfb30cdcd0d15d73be0df0f127f8d424c37a93aa05ab856cc3352f6b2451d947cfc6a93bcea8785769868aedc8adf2746bb150737dda2084af8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plft68hw29.exe
    Filesize

    907KB

    MD5

    04c785a25331ce4b0c62f5123989d9c3

    SHA1

    1afaed60a38b98c41715ae374b55acf6e3591fca

    SHA256

    0dd75ca8384ee6a15e72195551426ec945de3780eebe949a44b08eead5c6be60

    SHA512

    573a447ca5393e21fd2ba31fe9d2050611e7b1d0d967a78406e50e23aac0d38be74b88168241b77552a727710add2defb8c736539670bebe32d4ce6761484b68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllA88vD61.exe
    Filesize

    683KB

    MD5

    ca6ad095eff24ebe7f585aa276cb563e

    SHA1

    4ce2d4c3900f5344bf5517632df73c821161f86c

    SHA256

    88004bde9d576b6dc1d50cbdde5893a313febc3eb750fc9676e514a9cb5a57dd

    SHA512

    122c9e7e4f86e3210f6a55ea42bfbd9013e950bdbc7b346156303fe07ae1b268888969393995d3d978581539793ee6301816177de21f2fe687bd94a0f1f6e657

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plVv37Ie23.exe
    Filesize

    399KB

    MD5

    e97d8b641f6c678967d8a7a48bc7f5f6

    SHA1

    b82c5ec2190e7057d4077ca02965d76bcea96c2f

    SHA256

    c2d794686869053d0cf7b7ccdbeb032041b43391d75103b4efff2af0f3fa74b3

    SHA512

    9f06e914c2e4d8d8e3e0438e8b4acf77a2318c53c6bf7162724d8089f4ee9d427fa941346451bca6e10b811416feaea0656470212e9e3cbbfa5712b885d47bea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buWA24mJ39.exe
    Filesize

    12KB

    MD5

    7e7f528106781100fd767e76f5dea621

    SHA1

    edcf87876582e09df3fa84b79cf891b62209569d

    SHA256

    cf47dc61a3e50848fd76653ad41aca913940098245285c35f02130f594516ade

    SHA512

    7e9000ff385c8977929a27400647bb07677aa3b84b2b2c7cdfa809248025592e257237b88ffbac5b55a4bde80dedd3f65f0244597325247f1252be063340d10b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caSu76AF90.exe
    Filesize

    375KB

    MD5

    5ff32f757fe387c14ed8b1388ed9ec51

    SHA1

    43465ddc0d2b6107b9ec69f4852abedc6dc7a3e3

    SHA256

    ed7b94310be80b1aadad0043ae5539fbdf5a5b57626e275cf1e93cda3a307c60

    SHA512

    f89a31e03ae0ec6116b58136b1362bab031f04a340738d5878152905ca69964c833fb5b58c339af3e71fc804e6f727983e8a9db43e58ac37875fb1e2d83a2c92

    Download Submit

  • memory/1380-65-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-103-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-42-0x00000000071A0000-0x0000000007744000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1380-43-0x0000000007790000-0x00000000077D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1380-59-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-63-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-61-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-57-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-55-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-53-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-51-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-84-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-76-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-67-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-49-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-47-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-45-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-44-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-954-0x0000000008180000-0x00000000081CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1380-107-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-105-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-41-0x0000000007130000-0x0000000007176000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1380-101-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-99-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-97-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-95-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-93-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-91-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-89-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-87-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-85-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-81-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-79-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-77-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-73-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-71-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-69-0x0000000007790000-0x00000000077CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1380-950-0x0000000007800000-0x0000000007E18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1380-951-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1380-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-953-0x0000000008040000-0x000000000807C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3244-35-0x00000000003F0000-0x00000000003FA000-memory.dmp

    Filesize

    40KB

    Download