Overview

overview

10

Static

static

3

1e86aefe2d...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e86aefe2d798294ac3865ea53b1dad5dd8d7768c61d444b4bc7b25e14b0efee.exe

  • Size

    385KB

  • MD5

    082aa5c6928b8fa521247a98322f3a79

  • SHA1

    134ce7b7a867e64f6e9eef5c0c2d36c16bed5cd4

  • SHA256

    1e86aefe2d798294ac3865ea53b1dad5dd8d7768c61d444b4bc7b25e14b0efee

  • SHA512

    bbefeee548fa2cb6c05014bde490be9f35505c6b2aeb92d39e3d6235615394ae725b6abe4b0c11edd91d4d9077ef8fcbe34ebb89bdac7cef60c71cb04c68f0e9

  • SSDEEP

    6144:KZy+bnr+Rp0yN90QE9PtBbHBZaaj/cwQc4VsbzTEIowF1ikpi1X0LANh:PMr1y90jtBLBt/cwlsWzTEItpi1X0M

Score
10/10
healerredlinemangodiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e86aefe2d798294ac3865ea53b1dad5dd8d7768c61d444b4bc7b25e14b0efee.exe
    "C:\Users\Admin\AppData\Local\Temp\1e86aefe2d798294ac3865ea53b1dad5dd8d7768c61d444b4bc7b25e14b0efee.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9500EL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9500EL.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t81oN33.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t81oN33.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9500EL.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t81oN33.exe
    Filesize

    296KB

    MD5

    7fb9217f2d4056f5d597eb126f92f780

    SHA1

    1123de12fdc1ee71328412d7660984c11d13aaf8

    SHA256

    ca2e28ee7e793e7748701bb3875d0e11fe24a1aacb9b3cdc1865c890423f51ae

    SHA512

    5565fa58e24c82326285768c3fe1b261868fdf22736cf04dda0dc947beb1f7780d127104113210c4e0d259b7c51e75963062b6c648087da3cd9fcf24b803cd92

    Download Submit

  • memory/2504-7-0x00007FFEF6A63000-0x00007FFEF6A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2504-8-0x0000000000E20000-0x0000000000E2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2504-9-0x00007FFEF6A63000-0x00007FFEF6A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2520-15-0x0000000000510000-0x0000000000610000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2520-16-0x0000000000720000-0x000000000076B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2520-17-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2520-18-0x00000000024B0000-0x00000000024F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2520-19-0x0000000004B90000-0x0000000005134000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2520-20-0x0000000004AE0000-0x0000000004B24000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2520-32-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-30-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-84-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-82-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-80-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-78-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-76-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-72-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-70-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-68-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-66-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-64-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-62-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-60-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-58-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-56-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-54-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-50-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-48-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-46-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-44-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-42-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-40-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-38-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-36-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-34-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-28-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-27-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-74-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-52-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-24-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-22-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-21-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2520-927-0x0000000005140000-0x0000000005758000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2520-928-0x0000000005760000-0x000000000586A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2520-929-0x0000000005880000-0x0000000005892000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-930-0x00000000058A0000-0x00000000058DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2520-931-0x00000000059F0000-0x0000000005A3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2520-932-0x0000000000510000-0x0000000000610000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2520-933-0x0000000000720000-0x000000000076B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2520-935-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download