Overview

overview

10

Static

static

3

369a676851...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2025 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    369a67685110a9e2be70b8cf971dfa9a1819a3d27e79be93683387253f7a4bf1N.exe

  • Size

    538KB

  • MD5

    3dfc860ba9e9eaafe9aa0c4f1f38e430

  • SHA1

    f96cddc501784ab93e3288fd56dba0582cd99847

  • SHA256

    369a67685110a9e2be70b8cf971dfa9a1819a3d27e79be93683387253f7a4bf1

  • SHA512

    780f1726699919dacca91a19ed1663ca1d1d52299c480288554e119dd84ff07d686e4390ba9c3616c6c831e9836061627393ec9460997dd7e12e66750d2ecf58

  • SSDEEP

    12288:UMryy90wRszteluQwlVy++5yXqnZD9qtLs8sJ25e8:OyG85wlVyAXqZYW9ye8

Score
10/10
healerredlinefukiadefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\369a67685110a9e2be70b8cf971dfa9a1819a3d27e79be93683387253f7a4bf1N.exe
    "C:\Users\Admin\AppData\Local\Temp\369a67685110a9e2be70b8cf971dfa9a1819a3d27e79be93683387253f7a4bf1N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sET23rC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sET23rC.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iAa08KU.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iAa08KU.exe
        3⤵
        • Modifies Windows Defender DisableAntiSpyware settings
        • Modifies Windows Defender Real-time Protection settings
        • Modifies Windows Defender TamperProtection settings
        • Modifies Windows Defender notification settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kIS34Cp.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kIS34Cp.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3248
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEFCNDJENzItN0JFMS00RjY1LUE5NkYtM0I2MDk5MDQxREU1fSIgdXNlcmlkPSJ7QTA1QzFDRjQtMEFDQy00QUFGLTlBODktOTA2MzkxQzA4QjdFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODY5Q0Q5QzYtOEFDNi00MEM2LTg2QTEtQUZDNjcxNzgyNjQwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTUyNjYzNTU0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sET23rC.exe
    Filesize

    202KB

    MD5

    a55c4197a2d71d5e909b5b87113411f7

    SHA1

    f60e6ba153a41bcff8f86c9b4d33bd817a5e9bb1

    SHA256

    9aca29d7397df24f2188f148a6a62992c9611b6b40515ad95898c4133808568f

    SHA512

    515504fe7da37eaf3ed4819f05153395f3fe1b70294251e7cf26798a3f0ed0a27bd360ebfc805cb17a2e9ae4f6354c6ebdf2e7c86fe97e3ebe0865258173bdc7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iAa08KU.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kIS34Cp.exe
    Filesize

    175KB

    MD5

    a5f5c5d6291c7ae9e1d1b7ed1e551490

    SHA1

    3d06413341893b838549939e15f8f1eec423d71a

    SHA256

    1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

    SHA512

    d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

    Download Submit

  • memory/212-15-0x00000000001A0000-0x00000000001AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/212-14-0x00007FF93E183000-0x00007FF93E185000-memory.dmp

    Filesize

    8KB

    Download

  • memory/212-16-0x00007FF93E183000-0x00007FF93E185000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3248-21-0x0000000000B90000-0x0000000000BC2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3248-22-0x00000000059A0000-0x0000000005FB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3248-23-0x0000000005520000-0x000000000562A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3248-24-0x0000000005450000-0x0000000005462000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3248-25-0x00000000054B0000-0x00000000054EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3248-26-0x0000000005630000-0x000000000567C000-memory.dmp

    Filesize

    304KB

    Download