Overview

overview

10

Static

static

3

0d3b033a15...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2025 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d3b033a15d9a368347b297bc6a862068e9470e3a8c197f872bd72a0a96e7fbb.exe

  • Size

    1.1MB

  • MD5

    b404e91eff7eb9b216a03494053a0bfa

  • SHA1

    480ba1339cfcfbad098a6525497aa074bc3f2e76

  • SHA256

    0d3b033a15d9a368347b297bc6a862068e9470e3a8c197f872bd72a0a96e7fbb

  • SHA512

    ae964566cae2ab402e5f167a6481947225a05c33ed670dd87dbf89fe4f6862d28c66b687192a84b7033b8736655b42e915d87f167bed6521d9c71a1a34b5c776

  • SSDEEP

    24576:qy3aRODreGFblv3HrWCKfrmFDDcVqrYlqe0rxz3lY6tfQn:xcOneGdx8fypc4Wq5d3lztC

Score
10/10
healerredlineronamdefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ronam

C2

193.233.20.17:4139

Attributes
  • auth_value

    125421d19d14dd7fd211bc7f6d4aea6c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d3b033a15d9a368347b297bc6a862068e9470e3a8c197f872bd72a0a96e7fbb.exe
    "C:\Users\Admin\AppData\Local\Temp\0d3b033a15d9a368347b297bc6a862068e9470e3a8c197f872bd72a0a96e7fbb.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nov07Vr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nov07Vr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nDc03cb.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nDc03cb.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:352
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlP46nz.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlP46nz.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aIb63VR.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aIb63VR.exe
            5⤵
            • Modifies Windows Defender DisableAntiSpyware settings
            • Modifies Windows Defender Real-time Protection settings
            • Modifies Windows Defender TamperProtection settings
            • Modifies Windows Defender notification settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:876
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1092
              6⤵
              • Program crash
              PID:1412
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bBh41Wa.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bBh41Wa.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4952
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 876 -ip 876
    1⤵
      PID:1632
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTlBRUNDOTctRjVDMS00NEUyLTlENjUtNjgxQzIxODU0QjYzfSIgdXNlcmlkPSJ7RTM0NUI1NDYtRkZDQi00MkM1LTk3N0ItOEI0MzM3MjFEQkI2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkIzOEEzNjAtQ0MzNi00QkVELUI3OUEtOTYxMDI1RkQ0MTE0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTg0Njg4Mzc4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:6064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nov07Vr.exe
      Filesize

      901KB

      MD5

      1fba0378b2f741a2fd9fd2bc867d7cc0

      SHA1

      510d7dacba53a102eb01706260867d9b9758ea9c

      SHA256

      e18be245f9491903cb80eac51ba0a0d81b30372245b4431947357c5a6786f266

      SHA512

      7018940d0669be21d0fee29822b37ad8f2dabf518c7f8554b389a7c3b8258ef3bf7747be22f8e268ab6e5ad12fae1ca2136938f2c08e71d446f095d70a14b7bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nDc03cb.exe
      Filesize

      677KB

      MD5

      39d2e1172f8205f73241e7b417d0a451

      SHA1

      07348bf7a96650fa475d8c2116232806600c3660

      SHA256

      9a2587d4729a1b902b33c8ccac0f61362a8961f50d424b337ad96baa5fabecb8

      SHA512

      271604a3d753224db75a1ecf8281d711a6a629ca3957fd0f309242f7518cfcb882347b9e63bb797b05eac064e896df13afe491b96e07df6fc9153a7beef28116

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlP46nz.exe
      Filesize

      532KB

      MD5

      a6fe63ab29ebab9e900e175f77481302

      SHA1

      ed6f5d86d5f4bcb5e756aba73cb41c8dd962cf2d

      SHA256

      e4fc063ddfbdbbb9546d4b02daf6eda96bb6ab6464ef815b0b2db7b2d7fe6b74

      SHA512

      ecbddc0048d77bea3898c45f0e2e6ed88483b51eedd2d7b955458f7a169e2f120157ac06ddf872011eac46360b4c66d09fe0899f2298dd21414b1bfe93dfa51b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aIb63VR.exe
      Filesize

      238KB

      MD5

      86d81e0d721ab4bf640cafdc2336bb2a

      SHA1

      51506af09040cc778064217c858538c94aec20e2

      SHA256

      34f018991916548011d27d3665625775fba6740157b4546d9ef867b566035dc4

      SHA512

      4637ae5f5ce2073ddda7231cc0ed4d802b550280fc60aed6e7401dc12973cbf9aeec93ef1afc234b826557293f35d7b7da470797cda2eccc31b9fa075117db4e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bBh41Wa.exe
      Filesize

      295KB

      MD5

      0c1547605d82f907188fbcc47f6d12ab

      SHA1

      1a1f1041be168dac7caadfc52e95ba998264cffc

      SHA256

      54bb6fe69892b3621e9f576880e0a202834a621c408f9da69c04c169039dfb9e

      SHA512

      e62e52a2afa4a4cc4fb99b6c52b34d669c80ffa781a902866b593741b3fcb182a58d25748464e3ca192e64af31c333b17e9c430af3d1a8e946513957d8555849

      Download Submit

    • memory/876-62-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/876-59-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-57-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-60-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/876-55-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-53-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-51-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-49-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-47-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-43-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-41-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-39-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-38-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-35-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-34-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-32-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-45-0x00000000026E0000-0x00000000026F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-31-0x00000000026E0000-0x00000000026F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/876-30-0x0000000004D30000-0x00000000052D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/876-29-0x0000000002390000-0x00000000023AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4952-978-0x00000000059A0000-0x00000000059DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4952-96-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-67-0x0000000004AC0000-0x0000000004B06000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4952-80-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-78-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-76-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-74-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-98-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-72-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-70-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-69-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-102-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-100-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-68-0x0000000004B40000-0x0000000004B84000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4952-94-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-92-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-90-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-88-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-86-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-84-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-975-0x00000000051A0000-0x00000000057B8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4952-976-0x0000000005840000-0x000000000594A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4952-977-0x0000000005980000-0x0000000005992000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4952-82-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4952-979-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

      Filesize

      304KB

      Download