Overview

overview

10

Static

static

3

994c0a0768...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    994c0a0768edf7bc299b3ec9e3829f7cebfb90d64fff309f77908688126c8bb1.exe

  • Size

    874KB

  • MD5

    d2f344f1820986a887530ecc8023aeaa

  • SHA1

    6d0f4835effb6018b2f97bd630bb67a7eb7b77c8

  • SHA256

    994c0a0768edf7bc299b3ec9e3829f7cebfb90d64fff309f77908688126c8bb1

  • SHA512

    9358764dd014abb27b7caa173a1f8e5fed89a73e1aec0670c51a8c075ff8d1fdc63517d58e1c2804c395c47bcdb411bf2bd593c7e0b7cb82069909b0f7ba59e8

  • SSDEEP

    12288:MMrWy90F+FDnK+M0w8zcC+Fz+idL9/YR9PJvUnl7HpsngES1TQRD0CaX6r7bU:qyhdC9Cq+M1YbJKhH0PZagnU

Score
10/10
healerredlinemangodiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\994c0a0768edf7bc299b3ec9e3829f7cebfb90d64fff309f77908688126c8bb1.exe
    "C:\Users\Admin\AppData\Local\Temp\994c0a0768edf7bc299b3ec9e3829f7cebfb90d64fff309f77908688126c8bb1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6076.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1618.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1618.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2490jF.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2490jF.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3340
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c76zz35.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c76zz35.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:760
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1084
            5⤵
            • Program crash
            PID:3520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dOgSO94.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dOgSO94.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 760 -ip 760
    1⤵
      PID:4452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6076.exe
      Filesize

      729KB

      MD5

      cf3456219b23fa3e9a0c2896d3e8eb57

      SHA1

      7e8c2e7f2b598252170717c1ff5e245c1301d4f9

      SHA256

      65d02714dd7979473a641f2bce16574304bf320dada7c7788e34011a9657ec3b

      SHA512

      253e10f5577627a055f4f9c1fdad8cbe0fb34e586949e98e0d21110c12209abc125763cd66d3f50072eac4c7ad8ac22432d1fd5d2501994b0c8fc2cbcdc69f27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dOgSO94.exe
      Filesize

      408KB

      MD5

      0255d116cbe83a3036e6147972615c31

      SHA1

      4531828aacf5d06825a8c2a7983273f437cf7077

      SHA256

      53f7b83b7e4740210b7a0c3d1a616c2bbdfcd320bf3fd3625a1e30d03fcc598e

      SHA512

      e753497c6c83f0f30f97c1e58de10abc9d30d84095e0033c96eec0e5fba89f4fe9c058274799344b8de9b056bccb80083b635fe69c6ed66d5daa1c241fcf2e21

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1618.exe
      Filesize

      365KB

      MD5

      5af4adad3f1495e4632a9c948888d2ff

      SHA1

      7215b67a11334a45f59d4fb9f326432a3d66ba1c

      SHA256

      ca51c486f0d0ab521038e8b3c692db77246e8ca1f9f6dc7ed91eb1ca6e3fba8e

      SHA512

      f7bf1a398933f57f5e97bb4fcf09b5bc06eb03125a57d04de89fda4222c23c4fe8de0c9448c31cebaa14d0ae1ce07ae9255153e27e4592405fad13fc02566ed4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2490jF.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c76zz35.exe
      Filesize

      350KB

      MD5

      778a647adf93d4a6a4478103f621eb7c

      SHA1

      665bf8c700bae876bdb6f9c783edbb06c6d66019

      SHA256

      5eb426ca34487f4c68cdeac42b9589f316c8d4273b351f46340e0efb67c8b9c8

      SHA512

      9a1a67df6d444e20e5fc7e230a205b68d052566a610955099ca848f5bc592f5b8c39b868f5a8051952023d9b464c60f892a172461bb5c315caf033b051e1ea06

      Download Submit

    • memory/760-60-0x0000000000400000-0x0000000002B1B000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/760-53-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-29-0x0000000004BD0000-0x0000000004BEA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/760-30-0x0000000007380000-0x0000000007924000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/760-31-0x0000000004C60000-0x0000000004C78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/760-32-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-37-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-59-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-57-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-55-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-62-0x0000000000400000-0x0000000002B1B000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/760-51-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-49-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-47-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-45-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-44-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-41-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-39-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-35-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/760-33-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3340-22-0x0000000000B70000-0x0000000000B7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3340-21-0x00007FFFC1363000-0x00007FFFC1365000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3340-23-0x00007FFFC1363000-0x00007FFFC1365000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5092-92-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-98-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-96-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-82-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-80-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-78-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-76-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-74-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-72-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-70-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-67-0x0000000004B20000-0x0000000004B66000-memory.dmp

      Filesize

      280KB

      Download

    • memory/5092-100-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-69-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-68-0x0000000007710000-0x0000000007754000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5092-94-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-102-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-90-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-88-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-86-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-84-0x0000000007710000-0x000000000774E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5092-976-0x0000000007E00000-0x0000000007F0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5092-975-0x0000000007760000-0x0000000007D78000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5092-977-0x0000000007F40000-0x0000000007F52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5092-978-0x0000000007F60000-0x0000000007F9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5092-979-0x00000000080B0000-0x00000000080FC000-memory.dmp

      Filesize

      304KB

      Download