Overview

overview

10

Static

static

3

edf7a4acf8...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edf7a4acf8e91bf7f240e7c3042794ed56fe39558d80bda3fdf19b40d3180973.exe

  • Size

    662KB

  • MD5

    d3d84f149a051fc6a1fd0c0d168fde4d

  • SHA1

    1504998a04763dc5ddd27fe6f51dda5f875b35cb

  • SHA256

    edf7a4acf8e91bf7f240e7c3042794ed56fe39558d80bda3fdf19b40d3180973

  • SHA512

    8d266b01a73ee1403e8f0ba143c9db609f1b89aacfd54eefad3768c8f475b505cb77c1f479a0b7518a5de665988fb655402067683e9d14b22c845ad5a61fab23

  • SSDEEP

    12288:9MrOy90stK+pfG8j/83Zp8vkZum6m3qKxl2qgaex6C7H1ixBWLhF9:Ly7K+pvr8/czm99l2qg7x57H1ixBU

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edf7a4acf8e91bf7f240e7c3042794ed56fe39558d80bda3fdf19b40d3180973.exe
    "C:\Users\Admin\AppData\Local\Temp\edf7a4acf8e91bf7f240e7c3042794ed56fe39558d80bda3fdf19b40d3180973.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un919787.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un919787.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8251.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8251.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5249.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5249.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un919787.exe
    Filesize

    520KB

    MD5

    8f38d479132daaeb9abda5760602c279

    SHA1

    92b84e8a3dfe71c7bd28d84b261f1664d56322d5

    SHA256

    61dc65e06123d644d495cf8d65f0ea266a55a17de8db4bfe71062462f5f2e802

    SHA512

    1c2dad9989290d33e7563ef4d9bf1aff503e813161d6bc0b70b96fc5d74b941cadd43c7a8bb5c8a2a61e8970332938fb3a5fe5b6f060142932ba13872ea12c91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8251.exe
    Filesize

    236KB

    MD5

    dedbaeaad24c77ceef5623ac12f49f85

    SHA1

    63db67cea821becf653b03ba6ed9cb3c6905b03e

    SHA256

    22a9095c735eecf2e7d4b64d78ef8900fcda06804c7339922252ec0b4699059f

    SHA512

    eef03c8ea84635fc6b0bd85fac01e4a574f039c40e664d9de449e29a0550b043a33ba613e85f5d061dbad0211a9158b820ca548563f762791b47173f1a226368

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5249.exe
    Filesize

    295KB

    MD5

    5177835060e7be0e8e2f681e8f18f655

    SHA1

    ac770fd013d59dbc8ed61797c4126800a674c386

    SHA256

    bab84ae29d2506e363423ee2229c32289c13b3a2bddb516b4b11615af893ade3

    SHA512

    a23bbbce738a1b5162f71885ae0c94098df72fc13e4f3b3533833bc6d75416a58c9045a0636414a1f987e6a2fdfdc0212eb5a41598922499b738d41d8d8ef6c2

    Download Submit

  • memory/3872-15-0x0000000000740000-0x0000000000840000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3872-16-0x0000000000600000-0x000000000062D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3872-17-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3872-18-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3872-19-0x00000000009D0000-0x00000000009EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3872-20-0x0000000004D60000-0x0000000005304000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3872-21-0x00000000024A0000-0x00000000024B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3872-29-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-41-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-49-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-47-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-45-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-43-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-39-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-37-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-35-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-33-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-31-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-27-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-25-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-22-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-23-0x00000000024A0000-0x00000000024B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3872-50-0x0000000000740000-0x0000000000840000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3872-51-0x0000000000600000-0x000000000062D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3872-52-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3872-55-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3872-56-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4596-61-0x0000000004A60000-0x0000000004AA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4596-62-0x0000000004AE0000-0x0000000004B24000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4596-64-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-76-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-96-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-94-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-92-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-90-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-88-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-84-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-82-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-81-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-78-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-74-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-73-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-70-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-68-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-66-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-86-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-63-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4596-969-0x0000000005180000-0x0000000005798000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4596-970-0x00000000057A0000-0x00000000058AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4596-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-972-0x00000000058F0000-0x000000000592C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4596-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp

    Filesize

    304KB

    Download