Overview

overview

10

Static

static

3

d1c87259d8...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe

  • Size

    391KB

  • MD5

    47ef3fb1934307186e106fe85b8afff3

  • SHA1

    68fa2ff2b477bae1b98a3bff4ac3dd7a11034b1d

  • SHA256

    c371f4de822150c66e7a1bca9856d622fd8520e1b91fc8527cae3001a0de6532

  • SHA512

    c51ca0ac50151df33fed8612009e4f2faabe2412f0bc4ae14a727ac939c1077dbf37ab5b63740b33f00428880c80d1436ffb38571e2f65e5d2d4570a9435fcb2

  • SSDEEP

    6144:Kty+bnr+jp0yN90QEcplgwSI8tYD1LjDXjqm7lA11Qh0:PMrzy90QSI8G9j5eQh0

Score
10/10
healerredlinerumfadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe
    "C:\Users\Admin\AppData\Local\Temp\d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2212
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe
    Filesize

    16KB

    MD5

    4ddbf8e9efa1e6d33397a3817ac794d6

    SHA1

    bea9492f049d80d12b587d9af990e5328a966d21

    SHA256

    6db689501b029fcd35af979ab8c7b958647df3c9728d07334b92fb5956803e77

    SHA512

    1fbfdade572d37bb234a2cfffe5671f5b48aacb649bf0c25ffa1caa5542666c2ecb41fd60dd0a55de58927aacec3f07d375cccdd7247192030af4ad887ebc656

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe
    Filesize

    302KB

    MD5

    47edc698fb60063cef4e63ee2d5d05bc

    SHA1

    8f7bc644d7a378df490ab77d7b3b9b2a25a870fa

    SHA256

    2561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f

    SHA512

    b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715

    Download Submit

  • memory/372-15-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/372-16-0x00000000021F0000-0x000000000223B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/372-17-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/372-18-0x0000000002760000-0x00000000027A6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/372-19-0x0000000004D60000-0x0000000005304000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/372-20-0x0000000004CA0000-0x0000000004CE4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/372-32-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-34-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-84-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-80-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-79-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-76-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-72-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-68-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-66-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-64-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-62-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-60-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-58-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-56-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-54-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-50-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-48-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-46-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-44-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-42-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-40-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-38-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-36-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-30-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-28-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-26-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-82-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-70-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-52-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-24-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-22-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-21-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/372-927-0x0000000005310000-0x0000000005928000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/372-928-0x00000000059A0000-0x0000000005AAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/372-929-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/372-930-0x0000000005B00000-0x0000000005B3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/372-931-0x0000000005C50000-0x0000000005C9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/372-932-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/372-933-0x00000000021F0000-0x000000000223B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/372-935-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2212-7-0x00007FF867FA3000-0x00007FF867FA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2212-8-0x00000000003D0000-0x00000000003DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2212-9-0x00007FF867FA3000-0x00007FF867FA5000-memory.dmp

    Filesize

    8KB

    Download