Overview

overview

10

Static

static

3

682ae24523...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    682ae2452318234094cb4dd5c87a17175c7ef483fb1d03930ce446b107c25347.exe

  • Size

    673KB

  • MD5

    e10a45f596ab6d698ef0143725dac5c4

  • SHA1

    137e0899348fd1faf97e058599a470b7e0189db2

  • SHA256

    682ae2452318234094cb4dd5c87a17175c7ef483fb1d03930ce446b107c25347

  • SHA512

    fdf85e09d891cb82c24872db9f759131933b086e69a93f5ef79dbe9501bce8a1e8bb85a1830cf933214933366b0e33b382a5c25e407a28983c4b0ed20d6ea229

  • SSDEEP

    12288:bMruy90399+sJBPc4QX6Rud6SRc0Ij4ObuWtQ3RHiEzpgJW:ByUL+sv0VEdSRYj42ueACEzpx

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\682ae2452318234094cb4dd5c87a17175c7ef483fb1d03930ce446b107c25347.exe
    "C:\Users\Admin\AppData\Local\Temp\682ae2452318234094cb4dd5c87a17175c7ef483fb1d03930ce446b107c25347.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212092.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3858.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3858.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1056
          4⤵
          • Program crash
          PID:452
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8035.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8035.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2680 -ip 2680
    1⤵
      PID:3820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212092.exe
      Filesize

      531KB

      MD5

      460cf90e9b64feed2461e2ea1ef2dc0d

      SHA1

      91b130b5d10ad74aa9ed8b32328a22af2ebc7560

      SHA256

      bfbdc3782669674973b4e65eccb42a455c5585e7d556c56c1c82c7bca224cc5f

      SHA512

      bdc47580685204e23e345e441aff1abbe79c16bdd8dc91f680eedb2c63acb67a23baa8e1cce68d39a22e60747408039fb107458264d6b8af13e5e19b153dca80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3858.exe
      Filesize

      260KB

      MD5

      6c0b0b0679a70200d1db2a81c85e9f6c

      SHA1

      ae2018c9814dba033ab9ace64200517e82225690

      SHA256

      615682df933660bc71964ffad062a4702ad9f733c58106d88638b94e721b06ef

      SHA512

      0f776169f0b6ad1a05ac77ba7679bc048ce363a11a8bf19b78560effcaa9035c3bd3456b2af6990e7764097b5143cfdf3b7fac8e62eceec649f778dc5d30ea17

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8035.exe
      Filesize

      319KB

      MD5

      bdad838a9b25089dcc89b1c63855ee12

      SHA1

      9db832bfbc3f975aec9b8b608f0d4f40e4b0f351

      SHA256

      f73e9d7962f55916d29c008f8736151d42f2db34d4e04a988b001d60ab3a6c73

      SHA512

      b10b41d216447a09ea172eb0d6093b274990859b2ab858e85081f1eae2f5450b822686e270b55f3943a3c069e0e42adfedaf596ac94214126d4a2269bcb61fd9

      Download Submit

    • memory/2680-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2680-15-0x0000000000740000-0x0000000000840000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2680-17-0x0000000000400000-0x00000000004B1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/2680-18-0x0000000000400000-0x00000000004B1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/2680-19-0x0000000002520000-0x000000000253A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2680-20-0x0000000004C20000-0x00000000051C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2680-21-0x0000000002700000-0x0000000002718000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2680-25-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-49-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-47-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-45-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-43-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-41-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-39-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-37-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-35-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-33-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-31-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-29-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-27-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-23-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-22-0x0000000002700000-0x0000000002712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2680-50-0x0000000000740000-0x0000000000840000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2680-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2680-54-0x0000000000400000-0x00000000004B1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/2680-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4056-60-0x00000000025C0000-0x0000000002606000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4056-61-0x0000000004A90000-0x0000000004AD4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4056-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4056-968-0x0000000005160000-0x0000000005778000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4056-969-0x0000000005790000-0x000000000589A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4056-970-0x00000000058D0000-0x00000000058E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4056-971-0x00000000058F0000-0x000000000592C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4056-972-0x0000000005A40000-0x0000000005A8C000-memory.dmp

      Filesize

      304KB

      Download