Overview

overview

10

Static

static

3

88a3aeed78...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88a3aeed7845c7d3be471aa2445866b7ce052627f0589c5c636c6baf81410b70.exe

  • Size

    544KB

  • MD5

    479ef582a236f87ef99c9871107fa7f6

  • SHA1

    add0e6cf16054b635f360ab331fec25d4e5e2815

  • SHA256

    88a3aeed7845c7d3be471aa2445866b7ce052627f0589c5c636c6baf81410b70

  • SHA512

    d4601fa84abe188c2676b0c4fc66e05c30b6c3d2a7e0484ae3dc1bae5598e3cd4689ffcddcd17814ecf9c17493575e7aab09ecaae024110bec255c0dc7239be4

  • SSDEEP

    12288:SMr/y90Gc+hZ/UWRZQf/iXIyhX3h19HFoLEA:VyFfZNqoFFgEA

Score
10/10
healerredlinerumfadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88a3aeed7845c7d3be471aa2445866b7ce052627f0589c5c636c6baf81410b70.exe
    "C:\Users\Admin\AppData\Local\Temp\88a3aeed7845c7d3be471aa2445866b7ce052627f0589c5c636c6baf81410b70.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSM3100NY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSM3100NY.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw65Gg14bq69.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw65Gg14bq69.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\thR15Sj06.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\thR15Sj06.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSM3100NY.exe
    Filesize

    399KB

    MD5

    a9f5cf565f56bff76045f6b80e026a09

    SHA1

    f523befd25df2844f9787d7f17a8469c924abcda

    SHA256

    67bd4d4f21673e1256c83f1133f47d2f9266b145b90a75a6593e733f0ad03e55

    SHA512

    7800fe4bfe5b7fa95be858fdd238f99a93788387aef0d335f5314b031c05a5196083e5262fa43fb71857e44eed897f282fb0cc33ad5406ab1fa18cacd1275bec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw65Gg14bq69.exe
    Filesize

    14KB

    MD5

    d6a7f20a9e3b81f6213fad9cdded132f

    SHA1

    a8c5a27d6573594db079b3cabc439c7041d2a6b2

    SHA256

    fe4ba7ce95cc29718cc49e62434c384d6ab6abac870780c81552afe9018874fd

    SHA512

    1f33d07a901db201723acf7ab9418b872d0ebec1c8dbd755b7aa1f0478cdf35fa9ebf77faea6f1758eba643fa5e42ab2f8a065b2ef0ff9eceeb266461b348742

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\thR15Sj06.exe
    Filesize

    375KB

    MD5

    47b1a20db297f70b1d9db60ea51d14d9

    SHA1

    b55664710122138d23e0e295dcade2b9aea41120

    SHA256

    80aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287

    SHA512

    e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288

    Download Submit

  • memory/1528-60-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-22-0x0000000007160000-0x00000000071A6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1528-935-0x0000000008160000-0x00000000081AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1528-56-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-23-0x0000000007340000-0x00000000078E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1528-24-0x00000000071E0000-0x0000000007224000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1528-38-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-88-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-86-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-84-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-58-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-78-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-54-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-74-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-72-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-70-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-68-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-64-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-62-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-934-0x0000000008020000-0x000000000805C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1528-80-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-933-0x00000000072F0000-0x0000000007302000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1528-76-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-52-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-50-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-48-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-46-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-44-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-42-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-40-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-36-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-34-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-32-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-30-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-82-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-28-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-66-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-26-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-25-0x00000000071E0000-0x000000000721E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1528-931-0x00000000078F0000-0x0000000007F08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1528-932-0x0000000007F10000-0x000000000801A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2764-17-0x00007FFD3FA63000-0x00007FFD3FA65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2764-14-0x00007FFD3FA63000-0x00007FFD3FA65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2764-15-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

    Filesize

    40KB

    Download