Overview

overview

10

Static

static

3

d47c8f91ec...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-03-2024 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d47c8f91ec2375996ef9a6247f30a70118425ea23afb06d9e87597292eb15f13.exe

  • Size

    693KB

  • MD5

    b9a1ee247b89fbbfe76c215073d96b4f

  • SHA1

    6117cb9a38775531f8a83d42c2c1328e8c1a6183

  • SHA256

    d47c8f91ec2375996ef9a6247f30a70118425ea23afb06d9e87597292eb15f13

  • SHA512

    bdee37b241dc4f0a496e483982d54810a60479c6ae39a67d5194de558b05f3f9ab611eff3a73d78bdfb89ef7569449b3845549feea89c291a6540656dcec3aae

  • SSDEEP

    12288:uMrHy90KdEfVhXaxZILGYumxTDBhCDpCGhHEdamOAY+x8KVe:5yPCVuxmxT73GhH0ue6

Score
10/10
healerredlineruzhpedropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ruzhpe

C2

pepunn.com:4162

Attributes
  • auth_value

    f735ced96ae8d01d0bd1d514240e54e0

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d47c8f91ec2375996ef9a6247f30a70118425ea23afb06d9e87597292eb15f13.exe
    "C:\Users\Admin\AppData\Local\Temp\d47c8f91ec2375996ef9a6247f30a70118425ea23afb06d9e87597292eb15f13.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycHp18qg86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycHp18qg86.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urYK42Nf25.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urYK42Nf25.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1092
          4⤵
          • Program crash
          PID:2132
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrUu38Th36.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrUu38Th36.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3996 -ip 3996
    1⤵
      PID:8

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycHp18qg86.exe
      Filesize

      548KB

      MD5

      a9ef8c3cc4d835a5b00f1ef67e432133

      SHA1

      41745259116a9fb2fc5e5b189bc43b2903f28c68

      SHA256

      9bd1bb7e0d6eb69b7eded8959cfdfb95b8391e9df02520a46c4a01f78e58dfb4

      SHA512

      a37902a1a4c35a3f5d250a66f6ece00ca83980bde41356c5a947ab4f3004e2d71182cfd1aacc067d8038e5ce5be4ed0252d18a860047dd61ff066cd5728f4015

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urYK42Nf25.exe
      Filesize

      352KB

      MD5

      6345b3da7da3d9a3012ba87a252a29f6

      SHA1

      a36f23e5d0802652705df132bce0a8589ff5e7bf

      SHA256

      caf994d14f8b0767df1e38508af9bb7816673aa0b6fc7fbf591a135e3173b7df

      SHA512

      3d82f717809ab81fa0fdb60d262af1547d12a69331b755d02ec94a250f4e25c5aa1adc910381e91bf4d9b32aa8f281f1252e5912068d0378461890a5893fae82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrUu38Th36.exe
      Filesize

      410KB

      MD5

      cc1e39c942634bbd04ef3eb880af3cb4

      SHA1

      390ee64e70074c204d8c7fc736e69b91940375bc

      SHA256

      98f330627fe244da794aa21cd74d45861fab6d06f9fedc1bcc02eaf434adacec

      SHA512

      f66cac5ccd3318e7c9baca955b64b22f9cb96693557dcf13a7e334878a0e3c2bc18f1757432b78b6c06c28c91881fb2436fc0641f6eb75a57167a4254cb470d2

      Download Submit

    • memory/3944-104-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-96-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-991-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3944-989-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3944-988-0x0000000073AD0000-0x0000000074280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3944-987-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3944-986-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3944-985-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3944-982-0x00000000082A0000-0x00000000082EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3944-981-0x0000000008150000-0x000000000818C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3944-979-0x0000000008130000-0x0000000008142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3944-980-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3944-978-0x0000000007FF0000-0x00000000080FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3944-66-0x00000000077B0000-0x00000000077F4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3944-977-0x0000000007950000-0x0000000007F68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3944-88-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-90-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-92-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-94-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-72-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-98-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-102-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-100-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-86-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-67-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-84-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-82-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-74-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3944-80-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-79-0x0000000073AD0000-0x0000000074280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3944-63-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3944-64-0x0000000004A10000-0x0000000004A56000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3944-77-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-65-0x0000000002CB0000-0x0000000002CFB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3944-76-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3944-68-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-70-0x00000000077B0000-0x00000000077EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3944-73-0x0000000000400000-0x0000000002BD4000-memory.dmp

      Filesize

      39.8MB

      Download

    • memory/3996-40-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-53-0x0000000000400000-0x0000000002BC5000-memory.dmp

      Filesize

      39.8MB

      Download

    • memory/3996-30-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-16-0x0000000002BD0000-0x0000000002BFD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3996-58-0x0000000073AD0000-0x0000000074280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3996-57-0x0000000002BD0000-0x0000000002BFD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3996-56-0x0000000000400000-0x0000000002BC5000-memory.dmp

      Filesize

      39.8MB

      Download

    • memory/3996-55-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3996-52-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-50-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-15-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3996-46-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-48-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-44-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-42-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-17-0x0000000000400000-0x0000000002BC5000-memory.dmp

      Filesize

      39.8MB

      Download

    • memory/3996-38-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-36-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-34-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-32-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-28-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-26-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-25-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3996-24-0x0000000007160000-0x0000000007178000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3996-23-0x00000000072D0000-0x0000000007874000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3996-21-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3996-22-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3996-20-0x0000000073AD0000-0x0000000074280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3996-19-0x0000000004C80000-0x0000000004C9A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3996-18-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download