Overview

overview

10

Static

static

3

b506728115...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b506728115feaa9eba85f52e124917bd86333bab33b2df472183ddabec95244eN.exe

  • Size

    854KB

  • MD5

    6df0cd69ffb46c03fc27911146447060

  • SHA1

    270e9e10645a81447a52b76503901887c817416f

  • SHA256

    b506728115feaa9eba85f52e124917bd86333bab33b2df472183ddabec95244e

  • SHA512

    851f6e670fe693096cb545bfb45bce2b536173b3479d1d28ac85a8317b7b03a488922596a613fc34630b47c67c8db767eded044c7b034b0f8c955507c5ded655

  • SSDEEP

    12288:JMrMy90Ir2e6E0KqX++X92grkjCRq65wfADKcqC7pViKbCWD75hmZBKrH36A:hyPmE011NQjMqEKcqCtViwCc54ZBAz

Score
10/10
healerredlinegenadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b506728115feaa9eba85f52e124917bd86333bab33b2df472183ddabec95244eN.exe
    "C:\Users\Admin\AppData\Local\Temp\b506728115feaa9eba85f52e124917bd86333bab33b2df472183ddabec95244eN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1556.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1556.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8534.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8534.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx1745fC.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx1745fC.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns5010yu.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns5010yu.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3396
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1076
            5⤵
            • Program crash
            PID:1184
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1096
            5⤵
            • Program crash
            PID:3484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py04jb98.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py04jb98.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3396 -ip 3396
    1⤵
      PID:4636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3396 -ip 3396
      1⤵
        PID:3348

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1556.exe
        Filesize

        709KB

        MD5

        40b574a3be35caad7a2eb6cb8ae3eb00

        SHA1

        f3ecfc3aec2f110c1dbc3d81fa11c0921c336a50

        SHA256

        6ea6c44c988358b01652f10306ae5437174c2e8522a0dab7447d2bca9f6e571a

        SHA512

        aa9cb5dd06f65299b7d6d6ed76c26f7e4af706a5baf56e9741dff9c26e198125830ba57cb249ac4957251579535e53fffd5fc978751f3d0a1f42c53012d1b06c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py04jb98.exe
        Filesize

        391KB

        MD5

        e9d75c3481006ac8f0bb93a77a8e5f6a

        SHA1

        b2f298ca2f89cfc80f3a27a42b982820e4e60830

        SHA256

        315de7624a037a226d4c3bbdab38852ebdf67b8598b7efe0403908e79a976370

        SHA512

        a05352aedbcfeca555d3321618b3adaff571d3d5fef80ff6013b67c2811a3bf86e34738f570f57ff5c75f3225b859fb5c2c05393893cd89ffeda74b4266ccf98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8534.exe
        Filesize

        355KB

        MD5

        3c7a38721b4db734112e34e91e39e8df

        SHA1

        de4c9eb94335b95f9378e22d33017c24305e732c

        SHA256

        89872e3bc48c0bc1547b2aee757946fb69a15e3fbbc7e525f695a3c0a9f313cf

        SHA512

        b5d48233992e5a767079134fa0a045d527f8d1998a6f386a9a4550fef5b70b618ef7085305645ecb4381bc2cfada6f4c4c07521599f8d5c6083884b369721e1a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx1745fC.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns5010yu.exe
        Filesize

        333KB

        MD5

        252a3c260e0ba5ef6d47755ee50ee64b

        SHA1

        859d185c93412162dbe7568b3bb0fc3b63f87eda

        SHA256

        f9341f9f399ffc06f929f31cc6eaccb30cd2c6f983102134e92667e170485d48

        SHA512

        04f4c558746d04d6a958133fd7e9671d9806c1d9a09ed785c3ab4ff064e94d91c5940aa4327ba889d134620329b909aad2e794634299f5469e2dc734254b0ceb

        Download Submit

      • memory/1920-21-0x00007FFC0ED53000-0x00007FFC0ED55000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1920-22-0x00000000002F0000-0x00000000002FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1920-23-0x00007FFC0ED53000-0x00007FFC0ED55000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3396-60-0x0000000000400000-0x0000000002B03000-memory.dmp

        Filesize

        39.0MB

        Download

      • memory/3396-31-0x00000000070B0000-0x00000000070C8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3396-53-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-59-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-57-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-55-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-51-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-50-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-47-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-45-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-43-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-41-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-39-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-37-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-35-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-33-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-32-0x00000000070B0000-0x00000000070C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-30-0x00000000071C0000-0x0000000007764000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3396-29-0x0000000004BC0000-0x0000000004BDA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3396-62-0x0000000000400000-0x0000000002B03000-memory.dmp

        Filesize

        39.0MB

        Download

      • memory/4740-102-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-82-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-72-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-67-0x0000000004A00000-0x0000000004A46000-memory.dmp

        Filesize

        280KB

        Download

      • memory/4740-100-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-98-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-96-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-94-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-92-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-90-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-88-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-86-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-84-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-68-0x0000000004BB0000-0x0000000004BF4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4740-80-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-78-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-76-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-74-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-70-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-69-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4740-975-0x0000000007900000-0x0000000007F18000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4740-976-0x0000000007230000-0x000000000733A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4740-977-0x0000000007F30000-0x0000000007F42000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4740-978-0x0000000007F50000-0x0000000007F8C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4740-979-0x00000000080A0000-0x00000000080EC000-memory.dmp

        Filesize

        304KB

        Download