Overview

overview

10

Static

static

3

fb7297e7dd...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb7297e7dd8298e88108c00cae41cc97c60da480dcf574783ddb0817771a158e.exe

  • Size

    479KB

  • MD5

    6b3792139359f7d9605bb1e6171b0b9a

  • SHA1

    5b1b48c8ec83cc4a8f656de20a8c9ccffb6c580f

  • SHA256

    fb7297e7dd8298e88108c00cae41cc97c60da480dcf574783ddb0817771a158e

  • SHA512

    8a04197148c12512931b52f09d41cd58cf45bd3fa5ad009b48c1e8026680d0976e7a57ca2dc9c81ec27f203ef14f62bc12d71c087ffa9c79fe895e4af3a2756b

  • SSDEEP

    12288:SMrsy90n/goxj7umVrslY8KlVIBVpCbK1DQP4G:KyqRj7Vrsy8hVsq2d

Score
10/10
healerredlinediwerdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

diwer

C2

217.196.96.101:4132

Attributes
  • auth_value

    42abfa9e4f2e290c8bdbc776fd9bb6ad

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb7297e7dd8298e88108c00cae41cc97c60da480dcf574783ddb0817771a158e.exe
    "C:\Users\Admin\AppData\Local\Temp\fb7297e7dd8298e88108c00cae41cc97c60da480dcf574783ddb0817771a158e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5568047.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5568047.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7360521.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7360521.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4457948.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4457948.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5568047.exe
    Filesize

    307KB

    MD5

    ffe6d5674594c10f17aee66344f712b0

    SHA1

    130efe4560c96bc06a34dbd0f7a5d889b8c91976

    SHA256

    e36d4dc9b891cc713f682ad463bd5e8d0dd783d37247b6f86c969b4d1286f11a

    SHA512

    364f75cb06d37fb6edc03a8144372d38ecb662fe6284e75e3468fa6ec2d2bd848eb24cf3b2925feafc149471e73d26af57c5def2e7c5e757cd331c6ab7be2300

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7360521.exe
    Filesize

    177KB

    MD5

    f185ae60b09c5cb1d2273c48dcb2f717

    SHA1

    e0b99123ff3b829e31de29a98836a2da9fa7a281

    SHA256

    3be1a21ec321ba25946feebe3bc60ac95a598a5e83fc3346d9aee80f1bf8bbeb

    SHA512

    b6deb3d8bb4e86683fa43a2e20de1495eb713367d8c269ae722a446c4bc8e1adc54d9ee80e544f28230c2b98f95cf500b5ab837b56ecde0581a724a0409ad9c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4457948.exe
    Filesize

    168KB

    MD5

    0c6675b7bc04956d59cfb89532bacb40

    SHA1

    86052d3137b38bb8c284669f484f0b5bba745294

    SHA256

    123a1bd8af6b8df70bb309740fd1b1cc5853bcc28cc4e4e0eeb9e66c96b5af56

    SHA512

    48915f5787eddc79322899039208c35b3459e2ad127e27b0f88edfb9cdcc6b7dbf8c46034a41d6628e90aa81a329eeb57fef08c62e28bff38364d0a5cb477da1

    Download Submit

  • memory/2704-61-0x0000000005450000-0x000000000549C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2704-60-0x00000000052C0000-0x00000000052FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-59-0x0000000005260000-0x0000000005272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2704-58-0x0000000005340000-0x000000000544A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2704-57-0x0000000005850000-0x0000000005E68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2704-56-0x00000000010B0000-0x00000000010B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2704-55-0x00000000007A0000-0x00000000007D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4620-31-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-20-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-39-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-37-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-35-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-33-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-45-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-29-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-27-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-23-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-21-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-43-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-41-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-48-0x00000000749CE000-0x00000000749CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4620-49-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4620-51-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4620-47-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-25-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-19-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4620-18-0x0000000005080000-0x0000000005098000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4620-16-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4620-17-0x0000000004A70000-0x0000000005014000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4620-15-0x0000000002500000-0x000000000251A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4620-14-0x00000000749CE000-0x00000000749CF000-memory.dmp

    Filesize

    4KB

    Download