Overview

overview

10

Static

static

3

531ddff3e5...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    531ddff3e5d5ccd054e7739bb195f5d68ebdce66e713a435f389d99dd909c989.exe

  • Size

    480KB

  • MD5

    aa80b5846327a3975f98deb3478f662c

  • SHA1

    91489975537621d960dbd395a18cdbf2f87c5a2e

  • SHA256

    531ddff3e5d5ccd054e7739bb195f5d68ebdce66e713a435f389d99dd909c989

  • SHA512

    d26b6d5c8d22f20fd023b452544361bf18f9fe3e7678e05d01d521126b570127ba86d30e0bc4a4cc9bae64f5024e9a99702ed13c570df1eaecf8f97a1cb45f03

  • SSDEEP

    12288:gMrqy90vGwMzTjOIgYS0ztsQ7ozF2KE1H0pS:6yg8jOFdc+Aozub

Score
10/10
healerredlinedariydiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dariy

C2

217.196.96.101:4132

Attributes
  • auth_value

    2f34aa0d1cb1023a826825b68ebedcc8

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\531ddff3e5d5ccd054e7739bb195f5d68ebdce66e713a435f389d99dd909c989.exe
    "C:\Users\Admin\AppData\Local\Temp\531ddff3e5d5ccd054e7739bb195f5d68ebdce66e713a435f389d99dd909c989.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8221200.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8221200.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0973099.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0973099.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6953467.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6953467.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2908
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8221200.exe
    Filesize

    309KB

    MD5

    3c1673ee448d5eb1730bcc349e3ac074

    SHA1

    b8af07f944f93196ac685c8f4a8af43fd5dbf0a4

    SHA256

    b666b57bed062332c07345624f9b562e61a39703709d469f83e563a70ee5ce36

    SHA512

    9387d549665d4efe4922eb71816165de66b8cc90cf865e91fb552e21ae6c4d4eaec482c4a3be8f063f06fd58882ca25da39de19d892cecdd0c5737a8221f9f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0973099.exe
    Filesize

    176KB

    MD5

    9420cc8e366d90bb41ba5fe8c8c7484a

    SHA1

    ffdb6ac0b81c7f7fa7c5c724c94a8f5d45a522f6

    SHA256

    594cd66163faf6fa4b4dd97ddde7d8b07627eabca2725a55a99fcae84996b65e

    SHA512

    98c8bdfb045711b64eb54f635c2f59ad51b726209dd4f59e2cadc9f0b1e459b314022ecf8e0711e4eac520f526852827b0390f25421de185fe7a0b0a2b8a30be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6953467.exe
    Filesize

    168KB

    MD5

    e6444d0cb439e32e3834f3b264a5c936

    SHA1

    22d04f2b2f0e1bc71f23af72e3f31226cc426eb7

    SHA256

    10b0c4b52c7ef8a7604719265030511d0acd46a3cf726324a280e906086493fe

    SHA512

    a5c1fd260cd021dc072c23c71a75ccff740aadf56698b12e0244f6bc35baaa9720f2817ac9d232c90555f8d2867d5114c3cec2eedec6cf8df833e466870cd7b4

    Download Submit

  • memory/2908-62-0x0000000004C40000-0x0000000004C8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2908-61-0x0000000004AB0000-0x0000000004AEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2908-60-0x0000000004A50000-0x0000000004A62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2908-59-0x0000000004B30000-0x0000000004C3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2908-58-0x0000000005040000-0x0000000005658000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2908-57-0x0000000002320000-0x0000000002326000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2908-56-0x00000000000D0000-0x00000000000FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3808-33-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-20-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-39-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-37-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-48-0x0000000074470000-0x0000000074C20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3808-35-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-43-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-31-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-29-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-27-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-25-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-23-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-21-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-41-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-49-0x000000007447E000-0x000000007447F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3808-50-0x0000000074470000-0x0000000074C20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3808-52-0x0000000074470000-0x0000000074C20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3808-45-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-47-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3808-18-0x0000000004F40000-0x0000000004F58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3808-19-0x0000000074470000-0x0000000074C20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3808-17-0x0000000004930000-0x0000000004ED4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3808-16-0x0000000074470000-0x0000000074C20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3808-15-0x00000000048D0000-0x00000000048EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3808-14-0x000000007447E000-0x000000007447F000-memory.dmp

    Filesize

    4KB

    Download