Overview

overview

10

Static

static

3

84408c74e5...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84408c74e5a69030aea58a6f58a3d097e6d8d7e7a891aa567136d291ff5be4e2.exe

  • Size

    555KB

  • MD5

    fa12172db0db51eca272fa52152f6b6c

  • SHA1

    867f56a94be0d3b9b4b9b6ea7d96c6c3303f1840

  • SHA256

    84408c74e5a69030aea58a6f58a3d097e6d8d7e7a891aa567136d291ff5be4e2

  • SHA512

    f92bc73995d73b9b4724140878a7a096b97457526d7fda1b0367fdbd761c5664782f1672dea9e3d5b89e31f1552f2e172fa65506949cef1e92d73fa9e1395133

  • SSDEEP

    12288:KMr0y90XKVFEEzPegmL0+oP1gz3/CdFwpBZ:ayTxzmgmA+oSadK3Z

Score
10/10
healerredlineborisdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84408c74e5a69030aea58a6f58a3d097e6d8d7e7a891aa567136d291ff5be4e2.exe
    "C:\Users\Admin\AppData\Local\Temp\84408c74e5a69030aea58a6f58a3d097e6d8d7e7a891aa567136d291ff5be4e2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h06ZU48.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h06ZU48.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSpSM45.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSpSM45.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
    Filesize

    413KB

    MD5

    109f1820bae2a51b5bc9d24e8fb010d7

    SHA1

    66ced6a63a550d0d6d2f409bf51aff0d6607a39c

    SHA256

    83a524056d6ed628ec31bce3a709eca3db963d12e44f9abd2cc0863b93557389

    SHA512

    c93a8ef25fce793ae0f8ff9eb41050a3a61c7d63a4fbbb59ca2e6d03dad8e5654bb2fd77171d9411614d8dac54084a8247fab65391a6d8f6af3664e180411540

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h06ZU48.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSpSM45.exe
    Filesize

    385KB

    MD5

    7872d1b176632bd0ec29819fdb927c91

    SHA1

    2f8c0d7b9d1ceea01ac68a08be924fab780d02af

    SHA256

    21f750764a3d26cddc22fe1465794d8585c82477d4880eb2d9cc04c6a3676b8f

    SHA512

    ca9450376227f3de7f7e55612f9cb0d5de56d47a8fa214b4b683f70d3b5ed5ca045de6a0ae93a2efecfbaee9316c020747a862cfb947b2dac7b8337d541a8c3b

    Download Submit

  • memory/1076-14-0x00007FFC27673000-0x00007FFC27675000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1076-15-0x0000000000580000-0x000000000058A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1076-16-0x00007FFC27673000-0x00007FFC27675000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1684-66-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-54-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-24-0x00000000072E0000-0x0000000007324000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1684-25-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-30-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-88-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-86-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-84-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-83-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-80-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-78-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-76-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-74-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-72-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-70-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-68-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-22-0x0000000004A90000-0x0000000004AD6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1684-62-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-60-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-58-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-56-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-23-0x0000000007420000-0x00000000079C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1684-52-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-48-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-46-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-45-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-42-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-40-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-38-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-34-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-32-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-28-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-26-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-64-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-50-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-36-0x00000000072E0000-0x000000000731F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1684-931-0x00000000079D0000-0x0000000007FE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1684-932-0x0000000007FF0000-0x00000000080FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1684-933-0x00000000073F0000-0x0000000007402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1684-934-0x0000000008100000-0x000000000813C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1684-935-0x0000000008250000-0x000000000829C000-memory.dmp

    Filesize

    304KB

    Download