Overview

overview

10

Static

static

3

18ee136df5...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18ee136df5e0977627dd92f0bbd0e94f671904f162c510b27e71fe2c5f0ba8d6N.exe

  • Size

    503KB

  • MD5

    1acc150e9b73a63fd89274e385466e6b

  • SHA1

    9ace31944855e18d52e692ef27aefe74a3cdf665

  • SHA256

    f88bdf6a99e700557832347e033d4c78c815fa37478a3379fe87bf6539d40934

  • SHA512

    a520333a558c3973194c8b856272476c14f74e97fcd326f0387d3be69abff301a763c2ada8c63475916b5b86d6cdfc7789813f70be661151da42cacc64fc56f5

  • SSDEEP

    12288:HMrXy90KCMHaYkd+UOkbSPv32aIsz8SyqOGoP:wy5HaYkd+UVbSH32Vs8JGoP

Score
10/10
healerredlinelintdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lint

C2

193.233.20.28:4125

Attributes
  • auth_value

    0e95262fb78243c67430f3148303e5b7

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18ee136df5e0977627dd92f0bbd0e94f671904f162c510b27e71fe2c5f0ba8d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\18ee136df5e0977627dd92f0bbd0e94f671904f162c510b27e71fe2c5f0ba8d6N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2158.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2158.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ns1114IN.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ns1114IN.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py12EU51.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py12EU51.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1080
          4⤵
          • Program crash
          PID:3664
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qs5009VR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qs5009VR.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4948
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4856 -ip 4856
    1⤵
      PID:2912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qs5009VR.exe
      Filesize

      175KB

      MD5

      0ecc8ab62b7278cc6650517251f1543c

      SHA1

      b4273cda193a20d48e83241275ffc34ddad412f2

      SHA256

      b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a

      SHA512

      c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2158.exe
      Filesize

      358KB

      MD5

      e652747f680b83df9d55a54202c41ba9

      SHA1

      34c6532805b962a8146bdd6168d154a3f62c2f8a

      SHA256

      ea8495c7321dbad7107b7fbc3cb4e87664a754903b077bb8d376c1e51925fc58

      SHA512

      1cc8f19d67218ba26ca1f8edf8a7154532bc91861a18e0a45e59b7ab69434f2e0feb627c2fe2b22a796dbdb06a446cec509f7f4415617efc29759620d2087414

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ns1114IN.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py12EU51.exe
      Filesize

      342KB

      MD5

      e3bbb6b3a43ecf667f53d7b9742b6a13

      SHA1

      fc4a70044e9d79f58b855ca92994ebe505eb4a79

      SHA256

      c4a443392b066ff953e7938ff6a0ec8aa581fb9159a0af88969096d7af2c59a5

      SHA512

      0995518615570600e5732636965a3b236a3af97d5bbf354f58bfba045a53474a8126304e06dbc052a4ff2ba21e23efa86d11545eebcf48d34e6228775410f121

      Download Submit

    • memory/4800-14-0x00007FFD8CDC3000-0x00007FFD8CDC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4800-15-0x0000000000ED0000-0x0000000000EDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4800-16-0x00007FFD8CDC3000-0x00007FFD8CDC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4856-40-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-26-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-25-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-28-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-52-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-50-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-48-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-46-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-44-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-23-0x0000000007200000-0x00000000077A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4856-36-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-34-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-32-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-24-0x0000000004C50000-0x0000000004C68000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4856-42-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-39-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-31-0x0000000004C50000-0x0000000004C62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4856-53-0x0000000000400000-0x0000000002B05000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4856-22-0x0000000004AC0000-0x0000000004ADA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4856-55-0x0000000000400000-0x0000000002B05000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4948-59-0x0000000000BD0000-0x0000000000C02000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4948-60-0x0000000005A40000-0x0000000006058000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4948-61-0x0000000005570000-0x000000000567A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4948-62-0x00000000054A0000-0x00000000054B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4948-63-0x0000000005530000-0x000000000556C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4948-64-0x00000000054C0000-0x000000000550C000-memory.dmp

      Filesize

      304KB

      Download