Overview

overview

10

Static

static

3

acee098984...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acee098984f44491375a0984cf3fd2c48445b8b136a9332d305d3a09437e3cb3.exe

  • Size

    692KB

  • MD5

    734d065e1e159b018ed0753ee148528b

  • SHA1

    f8df8c437da11f4fbc8e4d6b7006fd8fc50f424a

  • SHA256

    acee098984f44491375a0984cf3fd2c48445b8b136a9332d305d3a09437e3cb3

  • SHA512

    2f9ab4052800f444676f5c4afa5e5593e4f4b85163c4ffcb67bafbb07c7a3f046d4a9a12dd1ecb16ea611000422b0691b0b3a1ca8a7eb3bfd893631ef330ad6e

  • SSDEEP

    12288:oMrfy90f3TyandtaH0D3zrGmXD+T84RHhzBBD78pcclI7qsNBe9RbOA3MWlT:nyo+adtaHj84rasre98rI

Score
10/10
healerredlineborisdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acee098984f44491375a0984cf3fd2c48445b8b136a9332d305d3a09437e3cb3.exe
    "C:\Users\Admin\AppData\Local\Temp\acee098984f44491375a0984cf3fd2c48445b8b136a9332d305d3a09437e3cb3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8610.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8610.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7362.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7362.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1076
          4⤵
          • Program crash
          PID:2260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6449.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6449.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1936 -ip 1936
    1⤵
      PID:4236
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:3936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8610.exe
      Filesize

      549KB

      MD5

      ecb0ab64497c7af3c1198729289315f6

      SHA1

      888364d450d5488b5c4ca5ad28697c97ad52e9d3

      SHA256

      e2ca8172b3b2fb21dc564c5d23ed7423cf647cb280e14d98f568a50ca8f537fd

      SHA512

      c3698b0da57817dce1cf5ee9078381df51adf48362e831e5b5f6c49b119bdba56c3c52314d963c6666966c019d7b0286608b49377955d4ad831abea9aa345210

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7362.exe
      Filesize

      327KB

      MD5

      3515573fbc05a3113d582dad3d3947a9

      SHA1

      931390117e0d838677b1b172c2adcecc07b1c6ae

      SHA256

      75ff6ba6f25f5be2b03fe1d014fb151c9f24805e450087c20bd8eba1a4c3bdd1

      SHA512

      bef5f7e414f57d3776aee6a7ae8bc62828230f549f6980bf1086648049123786d897993a3d62218f142912e13d4550daa5d1f15c0ae1f5eb257ff0b301e62f0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6449.exe
      Filesize

      385KB

      MD5

      7abb0c58819757ff02646dbdbd1ce7ab

      SHA1

      39a53b6eea771d57d8b1358e90fad0bf99458a46

      SHA256

      d580f85b023a212e0e21d3e3db0305f96151228835f17b47598c3bf950ad2a7c

      SHA512

      d7e8f264961f88a06e52f780c0f8e7400722908c43b96fda955dfc233fd0a9bbf4d24e43d09f54b2946b163184e85f4aa9f3a749e53cb8dda592d06472a0de4a

      Download Submit

    • memory/1936-15-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1936-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1936-17-0x0000000002F40000-0x0000000002F5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1936-18-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/1936-19-0x00000000072E0000-0x0000000007884000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1936-20-0x0000000004BD0000-0x0000000004BE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1936-38-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-48-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-46-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-44-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-42-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-40-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-36-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-34-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-32-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-30-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-28-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-26-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-24-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-22-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-21-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1936-49-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1936-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1936-50-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/1936-53-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/1936-54-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4820-59-0x0000000004760000-0x00000000047A6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4820-60-0x0000000004C50000-0x0000000004C94000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4820-82-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-94-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-92-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-90-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-88-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-86-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-84-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-80-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-78-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-76-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-74-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-72-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-70-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-68-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-66-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-64-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-62-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-61-0x0000000004C50000-0x0000000004C8F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4820-967-0x00000000079D0000-0x0000000007FE8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4820-968-0x0000000007FF0000-0x00000000080FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4820-969-0x00000000072F0000-0x0000000007302000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4820-970-0x0000000008100000-0x000000000813C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4820-971-0x0000000008250000-0x000000000829C000-memory.dmp

      Filesize

      304KB

      Download