Overview

overview

10

Static

static

3

071ed35249...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    071ed352499c4a26cd9fdcb88109fc793dc344b0a40c4ffcff68c1827a0b70be.exe

  • Size

    479KB

  • MD5

    f4b047e2db05081cac8df2c537c7bfc4

  • SHA1

    bd8d4ddb27924ef46d205bc5f4ca0fab8b630a4a

  • SHA256

    071ed352499c4a26cd9fdcb88109fc793dc344b0a40c4ffcff68c1827a0b70be

  • SHA512

    35fda82eebcff71c97196fff84c51491f1e898017c33bdca826eb52cb8e28422570846b630e20448917f79196ca7acaba9b04c458714d2a0d27547de98eddb3e

  • SSDEEP

    12288:4MrKy90Ydar55I0v8gcHuxzS7ij0g2w7/LlSenF6zFlrrljB:iyQzE1Ox6N2jlqplrrlV

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\071ed352499c4a26cd9fdcb88109fc793dc344b0a40c4ffcff68c1827a0b70be.exe
    "C:\Users\Admin\AppData\Local\Temp\071ed352499c4a26cd9fdcb88109fc793dc344b0a40c4ffcff68c1827a0b70be.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7384736.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7384736.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9700953.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9700953.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2775423.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2775423.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7384736.exe
    Filesize

    307KB

    MD5

    9a5502afe30c208c9915e7178e1b8a90

    SHA1

    f789b7671f223a0fc1d7aec65a0edd160412a229

    SHA256

    3dbb691f38de1cd1f590a6c4fc0e86ac97be2070f8348d593de0146f6960b771

    SHA512

    0801f557f1dfad0abe38ae3fc461b27233df70dbeee1fbc6481e6c50d18e56265b7340cff6af12f5ddbce825f6efd56f89bd3d6e370be6af4f03e75351cea21c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9700953.exe
    Filesize

    180KB

    MD5

    292a9ad6917126150a8672fbb1f08ee1

    SHA1

    a8b8777561fd52b0abd10a181d93d0d4618f59c6

    SHA256

    7861ec9d6beb4447295f6f2d76a2b788d3f0b8e0664180b5ac724d14b405013e

    SHA512

    cf35fa99d7181fe7b62ac02cbc5631e1b34560e3b601ac64f1fd04bfd577dde56b05769ac8f300639ccb4d9f0b3b8eac3ff4da51f55129ae80fd0ffbc600f486

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2775423.exe
    Filesize

    168KB

    MD5

    edf06d727f5baf8a0ae3feb6af1fbdb5

    SHA1

    7818b8862f8cd629e41be65f788a86e86a3d76b2

    SHA256

    b9ddce908a0e999bfd29985725c539bb5c15d600df8f4017d913e7523bd7047a

    SHA512

    eaeee6db4a49084fbfc0271c5de598fce626bcba50a7084f748f332a3282b2276a2254a7cdffc51ca9a702b47bcf9ab843ca4cae0a59aaa0edb14f366299f4b9

    Download Submit

  • memory/1972-62-0x0000000004CE0000-0x0000000004D2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1972-61-0x000000000A9A0000-0x000000000A9DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1972-60-0x000000000A940000-0x000000000A952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-59-0x000000000AA10000-0x000000000AB1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1972-58-0x000000000AEB0000-0x000000000B4C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1972-57-0x0000000005240000-0x0000000005246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1972-56-0x0000000000A60000-0x0000000000A90000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4740-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-48-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4740-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-49-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4740-50-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4740-52-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4740-43-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4740-19-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4740-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4740-17-0x0000000004B30000-0x00000000050D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4740-16-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4740-15-0x00000000024B0000-0x00000000024CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4740-14-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

    Filesize

    4KB

    Download