Overview

overview

10

Static

static

3

ceb9e93981...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceb9e93981dfbc00008733d627ded57c6dbacff96e0fe0c4e56df7f8bc614e8d.exe

  • Size

    686KB

  • MD5

    ac2d73d582042d05e6909bb6130c424f

  • SHA1

    08fd04a7cd82b6279ff4ed13beae6b393455264b

  • SHA256

    ceb9e93981dfbc00008733d627ded57c6dbacff96e0fe0c4e56df7f8bc614e8d

  • SHA512

    7c44baebe482905e2fd0e043d8dd05dc93390f76b56c69e52c333caa61737f8a7a40b8866c6c92c9103accb5dd4d14b3393580909fadd8f2b329e57e46016679

  • SSDEEP

    12288:pMrHy90JE3SbVcL3C3NW3zJy2fOmkBjz5mdnPJbOJbyMKb96TxuA6Vqqh1h:Kyc9327Ej9mdnByJGFkuAOqq5

Score
10/10
healerredlineborisdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ceb9e93981dfbc00008733d627ded57c6dbacff96e0fe0c4e56df7f8bc614e8d.exe
    "C:\Users\Admin\AppData\Local\Temp\ceb9e93981dfbc00008733d627ded57c6dbacff96e0fe0c4e56df7f8bc614e8d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un708387.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un708387.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1080
          4⤵
          • Program crash
          PID:1532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6659.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6659.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 960 -ip 960
    1⤵
      PID:3916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un708387.exe
      Filesize

      544KB

      MD5

      00b1d52a6a4b3d53e7633803302334d0

      SHA1

      1cee68eee04591656bb39a1080da42d02cb4e39b

      SHA256

      bfcd8cb5d1e698f97995ba4928ae36bbc76318b5c13b5fd8e1ca2f05e0e6b122

      SHA512

      ed7a0d29f1a2c2c8a2f2d8e4e62370cf67a46a3640a901cc11340aaf08b9fe40d86b691bb141809e35fb2294cd42c7e9b51471fd844d5e1babe92cab85bcb54c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
      Filesize

      326KB

      MD5

      68dcf7f6f440c499f54f1e1d6d7c366d

      SHA1

      52eed408be2231670e4dfbd081525f4d315e88fd

      SHA256

      a2cffd049027e0ea76565309a2b42d002f03b03a55e6bc4f62cb61f989067ad4

      SHA512

      061b537fc49a8374716f1e46c58bf2e25b9b3ce852705890f61853b504d8362aa1280dbaff4db14c84e6d95e4d8e8114f6a90dcc84c6360889a364780cfa5cb7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6659.exe
      Filesize

      384KB

      MD5

      f3a3aaf2030aa4c204f30421c6319541

      SHA1

      3908a357586f0719705d0b93d626cdc4b34eb96b

      SHA256

      06a8161c27d0ae1a306d2a7d6c6936ecd312583b2665038088da3ed6a4061768

      SHA512

      645e8fd869391f49bfe84894e5927c355249dec6bfd3ba95acbdf886aa1ad22ec5f85e3320abd431936c59be4275e37a778481877fad1998d87e86fdfb5482d0

      Download Submit

    • memory/960-15-0x0000000002C60000-0x0000000002D60000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/960-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/960-17-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/960-18-0x0000000004900000-0x000000000491A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/960-19-0x0000000007390000-0x0000000007934000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/960-20-0x0000000004AF0000-0x0000000004B08000-memory.dmp

      Filesize

      96KB

      Download

    • memory/960-46-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-48-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-44-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-42-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-40-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-38-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-36-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-34-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-30-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-28-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-26-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-25-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-22-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-21-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-32-0x0000000004AF0000-0x0000000004B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-49-0x0000000002C60000-0x0000000002D60000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/960-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/960-50-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/960-53-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/960-54-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2184-59-0x0000000004C90000-0x0000000004CD6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2184-60-0x00000000077A0000-0x00000000077E4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2184-86-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-94-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-92-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-90-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-88-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-84-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-82-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-80-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-78-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-967-0x00000000077E0000-0x0000000007DF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2184-76-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-74-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-72-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-70-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-68-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-66-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-64-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-62-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-61-0x00000000077A0000-0x00000000077DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2184-968-0x0000000007E50000-0x0000000007F5A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2184-969-0x0000000007F90000-0x0000000007FA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2184-970-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2184-971-0x0000000008100000-0x000000000814C000-memory.dmp

      Filesize

      304KB

      Download