Overview

overview

10

Static

static

3

03b9722006...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03b972200666e8372e74252e34e7c47a20eeb284d91857a29ab191d810578f19.exe

  • Size

    479KB

  • MD5

    d8aa17a35e7fffa914ee73bffd54fb44

  • SHA1

    9a23ae078acf8523ba9b60b60f6366f8d5495cbe

  • SHA256

    03b972200666e8372e74252e34e7c47a20eeb284d91857a29ab191d810578f19

  • SHA512

    a3cea61ddacd442028dd924e1659df23c5ec5b5f6fc18352033c414dcefa38ada47f9b3c6a8b9559fa2fb445a7d7bd350e1c3139d3e38bda23e8bdf3418f0419

  • SSDEEP

    12288:ZMrzy90a/In/YP1qkxgWgl4FGPuHv+D1sVzK:eyXI/YNlTCTlD1qzK

Score
10/10
healerredlinemurkadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

murka

C2

217.196.96.101:4132

Attributes
  • auth_value

    878a0681ac6ad0e4eb10ef9db07abdd9

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03b972200666e8372e74252e34e7c47a20eeb284d91857a29ab191d810578f19.exe
    "C:\Users\Admin\AppData\Local\Temp\03b972200666e8372e74252e34e7c47a20eeb284d91857a29ab191d810578f19.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225871.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225871.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7097525.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7097525.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1928152.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1928152.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225871.exe
    Filesize

    307KB

    MD5

    2d1c49c488078cdb7b800adc16db35c8

    SHA1

    cc245314ac52e2d8e55043ca84a0a3117e474f24

    SHA256

    8c76f48b9c69ffa317deadd9ee528bd4c51b4f610ea56a20cf8eec394ccdaea0

    SHA512

    aa04d9f12da2b1e8a0ae7838b10a759fdbcf5e065e293316fffce31196a24b2c2a3e5750324b98bc5074d675824ef7e374fe67a6b6d116268abbc6c9ebba310c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7097525.exe
    Filesize

    181KB

    MD5

    63d98f55f138a43afcb24260b0665876

    SHA1

    4dcfa7272722ee3497965d77b621e4eabac2e4e9

    SHA256

    c14234110b04673dc5e16e5d1851f155ccb623993f906bd7919b023666d53b74

    SHA512

    0db966f4d7ad072a203ab9c05b77fa699f089f507d433f693892032fef470d44a1c934012a0011fc00da59e4b1de6ceb4cef364405116026fe0e9455b4e8a1f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1928152.exe
    Filesize

    168KB

    MD5

    af495c7012f6462d11e520d891a81a47

    SHA1

    d8fc98c76f182941a5d382b2c2d760aafdc3eaf7

    SHA256

    e4eb956356d04ec4c9185678520999fac96a4b82739e1f1ab418bfc7f860e964

    SHA512

    34ac5cc5dbdf0c18450e782d9fcad8bdf3d6ca725b0ce38b725aca367ccf0745b63c37a4eb2e0d888bcdb02eb589f576d4be7f4fd9cab5ac211c24405c3ee800

    Download Submit

  • memory/428-35-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-50-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/428-17-0x00000000049A0000-0x0000000004F44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/428-18-0x0000000004F50000-0x0000000004F68000-memory.dmp

    Filesize

    96KB

    Download

  • memory/428-19-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/428-29-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-23-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-48-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/428-43-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-41-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-39-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-37-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-47-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-15-0x0000000002360000-0x000000000237A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/428-34-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-31-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-45-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-21-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-20-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-27-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-25-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/428-49-0x000000007483E000-0x000000007483F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/428-16-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/428-52-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/428-14-0x000000007483E000-0x000000007483F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-56-0x0000000000E90000-0x0000000000EC0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4972-57-0x0000000002F40000-0x0000000002F46000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4972-58-0x000000000B1D0000-0x000000000B7E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4972-59-0x000000000AD00000-0x000000000AE0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4972-60-0x000000000AC30000-0x000000000AC42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4972-61-0x000000000AC90000-0x000000000ACCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4972-62-0x0000000005080000-0x00000000050CC000-memory.dmp

    Filesize

    304KB

    Download