Overview

overview

10

Static

static

3

eb4dd8a4a0...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb4dd8a4a06ab96fd9be8f622ac4de2a9f4e1de2105f34e7b6549772462de825.exe

  • Size

    479KB

  • MD5

    5a4bb8238f21bd51b31af8ab9128a3e3

  • SHA1

    153243ed7732b4fcef392acb1ea9e5942a4743eb

  • SHA256

    eb4dd8a4a06ab96fd9be8f622ac4de2a9f4e1de2105f34e7b6549772462de825

  • SHA512

    e554f234a93162b49ec69e7bd4aab182dfd6446d5aa647e007de7bc90c448d7b787093d8d544b3ff00795313e629fec5231a07f776e2bdfd78a19505e97c3f10

  • SSDEEP

    12288:CMr7y90u0RPB4Cn60D0g6wVHLpTX5215FDeDA2fd9:tyiZGC4wrpF21/ul9

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb4dd8a4a06ab96fd9be8f622ac4de2a9f4e1de2105f34e7b6549772462de825.exe
    "C:\Users\Admin\AppData\Local\Temp\eb4dd8a4a06ab96fd9be8f622ac4de2a9f4e1de2105f34e7b6549772462de825.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0815817.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0815817.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4252173.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4252173.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8388876.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8388876.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2668
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0815817.exe
    Filesize

    307KB

    MD5

    4bbe63accd436959b2afdcb791952916

    SHA1

    8f09e701a9dedee95e114d5b09ebfd58a6edb378

    SHA256

    62407d7da8e9ca38e62ce3dc6b507347841999b48aec233e1c8e22bef4c18fed

    SHA512

    45a05ef4065b5ae97ec1e923ca1dba3fdad6f6cd777c0c09b11e3b04310085b24f755f85dccf56061ef9ecd0d1e4104955d5f0973c9fc7c226cf6dd934608473

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4252173.exe
    Filesize

    180KB

    MD5

    435148b4346484d53a35a9987135f461

    SHA1

    e830737970a3aaeb7d197b6d94e4e64eb3f2dae1

    SHA256

    c5b6ada5ab5471fc637917763edaf13a81cf83c458eb399a393a5431e99bb313

    SHA512

    1534bdb7e4c927d8419d46668289300b4b6c94b33a1d2676f40d17dc38c0a519af59fc4c9db0ed4337dc1853a43d49f3429c6d74cc5961dbc3ecdaf895ecf8fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8388876.exe
    Filesize

    168KB

    MD5

    45f95395787e10549c0422ffd59b2cd9

    SHA1

    61de26f1eb0f6e57da4f49927b728ae6d41f81a5

    SHA256

    5f6ea48ddea95ef621a2fea926a88202eaebe14615e138ea8f6f1950a669ebb2

    SHA512

    92b286a0adc0821e40fc02ad683c4bfb32ceb340a9ff08a7fd469ffe4a8ae14332383bf4649fe758fd9b1cb12e91818f315388c9b16dfb0c7f895fb64c72cc84

    Download Submit

  • memory/2668-62-0x0000000002C90000-0x0000000002CDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2668-61-0x000000000A8F0000-0x000000000A92C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2668-60-0x000000000A890000-0x000000000A8A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2668-59-0x000000000A960000-0x000000000AA6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2668-58-0x000000000ADE0000-0x000000000B3F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2668-57-0x0000000002E40000-0x0000000002E46000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2668-56-0x0000000000AF0000-0x0000000000B20000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3740-23-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-25-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-41-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-39-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-37-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-35-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-48-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3740-21-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-20-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-33-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-31-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-29-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-27-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-45-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-49-0x000000007497E000-0x000000007497F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3740-50-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3740-52-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3740-47-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-43-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3740-19-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3740-18-0x0000000004980000-0x0000000004998000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3740-17-0x0000000004AB0000-0x0000000005054000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3740-16-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3740-15-0x0000000002230000-0x000000000224A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3740-14-0x000000007497E000-0x000000007497F000-memory.dmp

    Filesize

    4KB

    Download