Overview

overview

10

Static

static

3

56304254ca...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56304254ca514486a160baab3c3ecc448c5cb6b6456e22e60632a28176de938e.exe

  • Size

    683KB

  • MD5

    433ffc1bc8d50f55422ac193ce8f0515

  • SHA1

    995bbb8dc1dfe4dd3c85c4a7631863a4ee66afd3

  • SHA256

    56304254ca514486a160baab3c3ecc448c5cb6b6456e22e60632a28176de938e

  • SHA512

    6c4d2ef01adff22a32ae184927c4c9e23ffd866341c972139fd4bb138d48125f4b5ccc7f1ea1070e06e210028e3e66fda749c5f40cc51b5e32cb51d59b18b690

  • SSDEEP

    12288:9Mrqy907N+uIAcmTlM9jsR09kJBj6MDfvBDIq1TlQpkmguhW:TyeHZOj009QDvBDIq1Ttu4

Score
10/10
healerredlinesonydiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56304254ca514486a160baab3c3ecc448c5cb6b6456e22e60632a28176de938e.exe
    "C:\Users\Admin\AppData\Local\Temp\56304254ca514486a160baab3c3ecc448c5cb6b6456e22e60632a28176de938e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un377613.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un377613.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0829.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0829.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3365.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3365.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3776
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un377613.exe
    Filesize

    540KB

    MD5

    b30ec094203ffd76b463c9b5ad418f50

    SHA1

    290ce2505f31ee2ce9fba253390f3f42e3323065

    SHA256

    06e6b835283e1f27d00ba7b25201d9524edcc634674a502a8dae55cd88c07908

    SHA512

    525af09223b595d67192f1e2647e1d04c5923c4b26714f61bbe9179c807a44f2a8ab1da9c92d915e26e3682d99a994c07e6ece6344d5b6a3733f552cadc9214c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0829.exe
    Filesize

    322KB

    MD5

    abfbf41ca37eabe55d6db3c65a40ce20

    SHA1

    b83da093ff6594056e805dba125b6844e1cf3e64

    SHA256

    af9ed28ba3ed085a197a67be20fb14d60bf6bdddad8a862d9866931b53ecac32

    SHA512

    8b7df82033fcdc3cd0fb6ca0c510a79f5ee53871c553fdc3b3d3d58ff91b1027964f491507374da70f6d41cf5de9d8047d95c4e191dd2da68381bd613ab72c24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3365.exe
    Filesize

    379KB

    MD5

    619b3695d58b7dd12b4cc01958f27f02

    SHA1

    b1127ea3463fabe718c52a4965fc158b52df3e32

    SHA256

    986ad51b3e62cdfec605c80f486e147212f8fae5531595433ef43b8954b3d947

    SHA512

    9e50a4b6be41950f722b43c6b52e90346a732d5abe171682fd32acbd3ecdc99055d82c6da6fa9e06cade39a28419a4710d6822ba05c84093980624808042eec1

    Download Submit

  • memory/3776-75-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-77-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-969-0x0000000007280000-0x000000000738A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3776-968-0x0000000007A00000-0x0000000008018000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3776-62-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-63-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-67-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-69-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-71-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-73-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-971-0x00000000073E0000-0x000000000741C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3776-972-0x0000000008150000-0x000000000819C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3776-83-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-970-0x00000000073C0000-0x00000000073D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3776-79-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-81-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-85-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-89-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-91-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-93-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-95-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-87-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-65-0x0000000004C60000-0x0000000004C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3776-61-0x0000000004C60000-0x0000000004CA4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3776-60-0x0000000004770000-0x00000000047B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4504-38-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-55-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/4504-53-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/4504-50-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-49-0x0000000002C30000-0x0000000002D30000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4504-22-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-21-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-24-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-26-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-28-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-30-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-32-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-34-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-37-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-40-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-42-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-46-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-48-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-44-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4504-20-0x0000000004CC0000-0x0000000004CD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4504-18-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/4504-19-0x0000000007270000-0x0000000007814000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4504-17-0x0000000004A30000-0x0000000004A4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4504-15-0x0000000002C30000-0x0000000002D30000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4504-16-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download