Overview

overview

10

Static

static

3

fda75ccf39...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fda75ccf39376767255d2ebdf62bde9d5ec283a0f1ce9b9f3d642c706682c2fd.exe

  • Size

    481KB

  • MD5

    27fa3487181a83f3d50518512e8e6cb9

  • SHA1

    56833aa68a5e1249ef0d488fdc94df2fb644bf69

  • SHA256

    fda75ccf39376767255d2ebdf62bde9d5ec283a0f1ce9b9f3d642c706682c2fd

  • SHA512

    68aaa56756c5179729c8042d5d498ca61e146309d65300b361295ae0b23c60b116a769cc12efa308ceff7e5752d7d92aa00bbbcd5a36ef4f2d037c285a2d5580

  • SSDEEP

    12288:IMrBy90W3gE8zi8peNb7vggs9Keefm0UWauB:ZyFC2YefmrWauB

Score
10/10
healerredlinemofundiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mofun

C2

217.196.96.101:4132

Attributes
  • auth_value

    da5d4987d25c2de43d34fcc99b29fff3

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fda75ccf39376767255d2ebdf62bde9d5ec283a0f1ce9b9f3d642c706682c2fd.exe
    "C:\Users\Admin\AppData\Local\Temp\fda75ccf39376767255d2ebdf62bde9d5ec283a0f1ce9b9f3d642c706682c2fd.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5774680.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5774680.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4452981.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4452981.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3239034.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3239034.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1188
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5774680.exe
    Filesize

    309KB

    MD5

    bf81b6b6b233a7d69f9025c47e455445

    SHA1

    93703d12b68eb4f612135205df8d53c000a95b74

    SHA256

    0081ef5a7362a23325e46cc9e5c6b3c58bd42d0e8fb2b03ba3a7bfa64a76af34

    SHA512

    d4fcc7e4d9bd678ea4ca830970a0e48e078ed85279a8046c6a070212f8911586d3bebfb9c8ff3eba4e133b7f699c2cdf5408cf32273d2cfbeb2e80ef05f4688e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4452981.exe
    Filesize

    180KB

    MD5

    4cfd0dc28a0be30564717c8a81c50fac

    SHA1

    1657fb2c04c04285ea3ad8f1080379a55ccc707b

    SHA256

    068902dbdb8bb0b4dcd65b666a4a783bf74052891956d4c2703f9ff580146499

    SHA512

    5de0a6620709ff4f58ebbb3df32086eb2e3b3f0f4a5a12c65ec47c4ff6d36ee8863db28a30bc84ef49c17e8e4c1f9607564474e20a33a7f29d096a5d0f216606

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3239034.exe
    Filesize

    168KB

    MD5

    02b6270afba4362adc5107530b6d8a12

    SHA1

    f88dde7d1dafab0d809b31681b1ecfe08750f642

    SHA256

    6c36b2e9733c6edf96f83ca32f4fe2fac05825decd5ea98febadd532339ce501

    SHA512

    ec17fb51a4d9d2479d7b28ecd71683098bb8075bb86ef02b41414ab605fde96a54f3bb2bfc693bae791350e9d9905f2199b0a89c9d6e55fa689801d961883cde

    Download Submit

  • memory/1188-62-0x0000000004AF0000-0x0000000004B3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1188-61-0x0000000004AB0000-0x0000000004AEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1188-60-0x0000000004A30000-0x0000000004A42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1188-59-0x0000000004B80000-0x0000000004C8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1188-58-0x0000000005090000-0x00000000056A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1188-57-0x00000000049E0000-0x00000000049E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1188-56-0x00000000000C0000-0x00000000000F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4616-34-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-21-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-44-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-42-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-40-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-38-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-48-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-32-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-30-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-28-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-26-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-24-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-22-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-47-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-49-0x000000007452E000-0x000000007452F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4616-50-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-52-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-36-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4616-20-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-18-0x0000000004980000-0x0000000004998000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4616-19-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-17-0x0000000004A20000-0x0000000004FC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4616-16-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-15-0x00000000022B0000-0x00000000022CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4616-14-0x000000007452E000-0x000000007452F000-memory.dmp

    Filesize

    4KB

    Download