Overview

overview

10

Static

static

3

cc79f41556...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc79f41556f46cf037712cf38b3e276f942218c1df79fe8a304a2147a1c2eb50.exe

  • Size

    673KB

  • MD5

    1964e639a1b3a61d13a0dbff4418240c

  • SHA1

    a3c70da7c4adb3cc2dc89ca16d1999eee50019a4

  • SHA256

    cc79f41556f46cf037712cf38b3e276f942218c1df79fe8a304a2147a1c2eb50

  • SHA512

    6d2fe154a49cfbc0d24b577ff538af0582bc3764ee27d5c51325569b7044606f573de8fdfe96cd8188582fcea3f1c087c7f0daa5f2f8abd9fa931cab776bd519

  • SSDEEP

    12288:dMrIy90lKaaxy6TnwyzRlFHyZLdUHT0HthBbuWPGWM0/5vDLkR:5yPaaxFwyzZalth1uM1/E

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc79f41556f46cf037712cf38b3e276f942218c1df79fe8a304a2147a1c2eb50.exe
    "C:\Users\Admin\AppData\Local\Temp\cc79f41556f46cf037712cf38b3e276f942218c1df79fe8a304a2147a1c2eb50.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un374574.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un374574.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4540.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4540.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 1028
          4⤵
          • Program crash
          PID:1616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4606.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4606.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3224
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 592 -ip 592
    1⤵
      PID:820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un374574.exe
      Filesize

      531KB

      MD5

      b3b6660155307bbab0abdab69c88b1eb

      SHA1

      eea29ad292d06694104ede0ee6d55d15e2f29763

      SHA256

      864b44a99de22adbf7bede25f77d2e9cb0a920eeadb3d82db633f15a74afbe01

      SHA512

      aa568d9a97a80a057cce51397d33f80bf222786e98a335a36a77df102584fb8fa72776517dd8d0bc4e6f0544d5f7348f66ebaf1a0d42878c6a7215cae77afb01

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4540.exe
      Filesize

      260KB

      MD5

      538ac6ee566762a3db2b0cc33d3f7d95

      SHA1

      65be0131303ebf3d66a7d943e868aec1514ff039

      SHA256

      ba6073025a603187fa047f1205dad29c900bde149998edc4a23785fff681fa24

      SHA512

      839f82b0e802b75b9d5fb06a173b3738ce2d59012e7f5ae40190d31a0751d9bb33e48da90ecc0c520c14c2a631bb6925108d7394791288592cf827f668d89712

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4606.exe
      Filesize

      319KB

      MD5

      c9304d8800694620375b74eae96886e5

      SHA1

      62a0be5e18f636423e3404f84d5cbeec918536af

      SHA256

      8d5d4fe7913eafe4a85560275d8092d371440f2ef2ac3f357bfd7316e98cac76

      SHA512

      0ccec655f813eca6ccea759be5e7e2569e4bdbedad3de9fbc8f7b4e7d9269ae50cbce5bbcd211456b0bc569203bffeaca09fa3f3076af71b653c2cc29cb830a3

      Download Submit

    • memory/592-53-0x0000000000400000-0x00000000004B1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/592-20-0x0000000002330000-0x0000000002348000-memory.dmp

      Filesize

      96KB

      Download

    • memory/592-15-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/592-19-0x0000000004BF0000-0x0000000005194000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/592-28-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-48-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-46-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-44-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-42-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-40-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-38-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-36-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-34-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-32-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-30-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-17-0x0000000000400000-0x00000000004B1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/592-26-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-24-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-22-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-21-0x0000000002330000-0x0000000002342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-49-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/592-50-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/592-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/592-54-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/592-18-0x0000000002180000-0x000000000219A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3224-59-0x0000000004A90000-0x0000000004AD6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3224-90-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-60-0x00000000050C0000-0x0000000005104000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3224-92-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-94-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-86-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-84-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-68-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-81-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-78-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-76-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-971-0x0000000005A40000-0x0000000005A8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3224-70-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-72-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-83-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-66-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-88-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-64-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-62-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-61-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3224-967-0x0000000005100000-0x0000000005718000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3224-968-0x0000000005790000-0x000000000589A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3224-969-0x00000000058D0000-0x00000000058E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3224-970-0x00000000058F0000-0x000000000592C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3224-75-0x00000000050C0000-0x00000000050FF000-memory.dmp

      Filesize

      252KB

      Download