Overview

overview

10

Static

static

3

39ce1c128a...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 06:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe

  • Size

    470KB

  • MD5

    750deaae91e0a128f0c4023dd1a8c754

  • SHA1

    8d68148e4618a2b959d80dece49cb83d99eb7f27

  • SHA256

    39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5

  • SHA512

    0c09a838fd48191690e4a4a586ad37dd358122272d71e6967db4bf4099fb46695daca2515a9c555c29eed3a62c919d12fb6c1423e4a673d052bfc0312f4d73d1

  • SSDEEP

    12288:1y90n5IQXsfZeT2mFhiu+Jc/p9xmGdn+ZK:1yCuQtz3RL/yK

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe
    "C:\Users\Admin\AppData\Local\Temp\39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it586781.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it586781.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr465971.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr465971.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4076

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.161.248.152:38452
    jr465971.exe
    260 B
     5
  • 185.161.248.152:38452
    jr465971.exe
    260 B
     5
  • 185.161.248.152:38452
    jr465971.exe
    260 B
     5
  • 185.161.248.152:38452
    jr465971.exe
    260 B
     5
  • 185.161.248.152:38452
    jr465971.exe
    260 B
     5
  • 185.161.248.152:38452
    jr465971.exe
    260 B
     5
  • 185.161.248.152:38452
    jr465971.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it586781.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr465971.exe
    Filesize

    487KB

    MD5

    af86640b636e077f81cd464646692dfb

    SHA1

    509663109a3f89e6d2bbad8e3bd250dcb77ca71c

    SHA256

    0f0398c9110e144a59a68c7a18f8011c952fdd4d5755a50cbf5efc1cb78a0390

    SHA512

    c51e52dbc857f568af8a4f264e2230d59c30cbfa04dcd0b2abdad6c42f41bc5fa664fbb5b1d5d47a20182f72dbd6be1218c54fec667714292040cd3a5714b409

    Download Submit

  • memory/4076-15-0x00000000009F0000-0x0000000000AF0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4076-17-0x0000000000400000-0x000000000081E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4076-16-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4076-18-0x0000000002650000-0x000000000268C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4076-19-0x0000000005110000-0x00000000056B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4076-20-0x00000000029E0000-0x0000000002A1A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4076-22-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-28-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-84-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-82-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-80-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-78-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-76-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-74-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-72-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-70-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-68-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-66-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-64-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-62-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-60-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-56-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-54-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-52-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-50-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-48-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-46-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-44-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-42-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-40-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-38-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-36-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-32-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-30-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-26-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-24-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-58-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-34-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-21-0x00000000029E0000-0x0000000002A15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4076-813-0x0000000007A40000-0x0000000008058000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4076-814-0x00000000080E0000-0x00000000080F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4076-815-0x0000000008100000-0x000000000820A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4076-816-0x0000000008220000-0x000000000825C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4076-817-0x00000000026B0000-0x00000000026FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4076-818-0x00000000009F0000-0x0000000000AF0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4076-820-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4076-821-0x0000000000400000-0x000000000081E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4736-7-0x00007FFEE6793000-0x00007FFEE6795000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4736-8-0x0000000000C20000-0x0000000000C2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4736-9-0x00007FFEE6793000-0x00007FFEE6795000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.