Overview

overview

10

Static

static

3

8612e2857b...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8612e2857bb01b77be3ba81f3ff5a984eaf4c90a406d952796ca937030f3ec0c.exe

  • Size

    907KB

  • MD5

    3514963358f969c128e6906c1d785f77

  • SHA1

    b6654cad610ef8f7032ae9163ae77c66dbf62c6c

  • SHA256

    8612e2857bb01b77be3ba81f3ff5a984eaf4c90a406d952796ca937030f3ec0c

  • SHA512

    8c4b284cee4045f7a45b185ca5649bca2aefa5ce4acf234f13aa68b2f1232e114b8478238dfe8e5885ff937d098c337175cefae72c03f3abf7f1d7b0ec740242

  • SSDEEP

    24576:2yzv07zIvGlkgQM0B/gQCA53aEr/Dk+IPTW:Fzv0vkJB/Z3

Score
10/10
healerredlinedowndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8612e2857bb01b77be3ba81f3ff5a984eaf4c90a406d952796ca937030f3ec0c.exe
    "C:\Users\Admin\AppData\Local\Temp\8612e2857bb01b77be3ba81f3ff5a984eaf4c90a406d952796ca937030f3ec0c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6381.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6381.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio6079.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio6079.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8981.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8981.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5072
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu2889.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu2889.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4892
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1084
            5⤵
            • Program crash
            PID:2988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rGr42s04.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rGr42s04.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1192
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4892 -ip 4892
    1⤵
      PID:4672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6381.exe
      Filesize

      765KB

      MD5

      10dd0d138f640da05f4cf5b68e328eec

      SHA1

      328383f543464f8e48071f4d94c4a86ed791d6b6

      SHA256

      b5452bc501dc99c8bed4095028d8316acf55a26fc525f90a381ec537793576e3

      SHA512

      941811508dac2caabf2eb2c5c4a52a613ac621cfdb887aa75412e0293d4292321e06f4ac78b8bc9628f4a98828aa04ea400d4905d82bd97af12d0ec27d8819f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rGr42s04.exe
      Filesize

      457KB

      MD5

      756eb7939f2ffc37ec17cf7711110b69

      SHA1

      a9c8e1547c4d7a23f9fb2587ded8640cf2245672

      SHA256

      3808a4de9951571e4a23ea486a64582720264bc612aa62dd2e9a2a8e6f72c2f5

      SHA512

      9c2aa7386eaf67e84998f182c381064d1475a7ded6fc011d33050aa43b8bb0c9a7668e3538d9a4a17d5bb882b393d5299cde77536ee03099a3634a9f064c4a40

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio6079.exe
      Filesize

      379KB

      MD5

      7b8b31002487ad91d979152490674b5a

      SHA1

      78be39da9dcc7a8ef90bf9736ab0d82226432f99

      SHA256

      8f139982114be62195aa8240a00d1d0ed7c2ffc22127d9834eaa0fd66235dbf6

      SHA512

      6370c6c209b42b9f4aaa37eb9b52d5ab90b16555638fac09a652db52be98ed616fc4a5100c9f164d01606ead773e3821521c3664788e7120afb785d9f9915250

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8981.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu2889.exe
      Filesize

      399KB

      MD5

      263f3783d29c5a6f9fce53d5cafdf6c5

      SHA1

      f357e9b0b8b18b682b0ef2e684b0b6fabc951308

      SHA256

      67d2b8e767033ec0a440e44588c17895546aa4d2ae5f373b450833fba0c91d6a

      SHA512

      4683c877f2b5802b57cd15a660e6aa938aca4f95ade3ba372705b24dba9f731dbc9a0f58611de87a0ca3307b69570d4f6a02623f2155d035cb52c98f725cf32d

      Download Submit

    • memory/1192-79-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-88-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-976-0x0000000005A60000-0x0000000005B6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1192-975-0x0000000005440000-0x0000000005A58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1192-69-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-70-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-74-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-76-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-978-0x0000000005B70000-0x0000000005BAC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1192-72-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-80-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-82-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-86-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-977-0x0000000004E60000-0x0000000004E72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1192-91-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-92-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-94-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-97-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-98-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-100-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-103-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-85-0x0000000002A20000-0x0000000002A5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1192-979-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1192-67-0x0000000002530000-0x0000000002576000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1192-68-0x0000000002A20000-0x0000000002A64000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4892-58-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-62-0x0000000000400000-0x0000000000726000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4892-60-0x0000000000400000-0x0000000000726000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4892-33-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-35-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-37-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-39-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-41-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-45-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-47-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-49-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-51-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-53-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-55-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-59-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-43-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-32-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-31-0x0000000004CC0000-0x0000000004CD8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4892-30-0x0000000004D20000-0x00000000052C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4892-29-0x00000000027E0000-0x00000000027FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5072-23-0x00007FFA46CF3000-0x00007FFA46CF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5072-22-0x0000000000F80000-0x0000000000F8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5072-21-0x00007FFA46CF3000-0x00007FFA46CF5000-memory.dmp

      Filesize

      8KB

      Download