Overview

overview

10

Static

static

3

15fd0930fc...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15fd0930fc18e4f1ab69807406d7ab94a7901ec3005919b75bb4ddd5402a61d2.exe

  • Size

    537KB

  • MD5

    e23f39c917bb69508d92f21bcf80fcb4

  • SHA1

    a82ea37b384f3d675553c075c7a476cd09140a95

  • SHA256

    15fd0930fc18e4f1ab69807406d7ab94a7901ec3005919b75bb4ddd5402a61d2

  • SHA512

    a1b697cb217675f6b7043378cb69896c356576aa8724720400830e1bbab759fd3dd647ef023acb2900a74e28ee3072059b4535ff4546460dce9f93b3b5c6d723

  • SSDEEP

    12288:MMriy90IcljtxunVwftjdpOAQLoVo+78JXtth5T8ppV:eyfnVwfZvOSVB78Dth54pb

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15fd0930fc18e4f1ab69807406d7ab94a7901ec3005919b75bb4ddd5402a61d2.exe
    "C:\Users\Admin\AppData\Local\Temp\15fd0930fc18e4f1ab69807406d7ab94a7901ec3005919b75bb4ddd5402a61d2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieJ3205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieJ3205.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr107743.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr107743.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku829518.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku829518.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieJ3205.exe
    Filesize

    383KB

    MD5

    589358cab897538e1854c700329d1be0

    SHA1

    c6706bd335001f672862e7121776717958c630c0

    SHA256

    0337a6e21cd91504f65f5f001e2b72acf65ef96a5ea12ba388d3397d4803132f

    SHA512

    431e777b88a5680f3c1c2d8b0153efe6606e43f8f00c920528a801e10dd917ec82d322d99191ba4abc3799eb4a1251d53bed46bd50d524fbba2d5462880f5109

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr107743.exe
    Filesize

    13KB

    MD5

    0232e18e6e7e0b675dbb91f97bab40d6

    SHA1

    2e8495217099a238bb0b41e5f383a4228b901edd

    SHA256

    0fcaa1b957c4c1f12ed3b8120364047b56e9a52885f288dc26b2632e5662392e

    SHA512

    136aac330d2bdc1496a2e2e2842055e5193df85f6b8fd44e5fc2767b8bbfe18f0e85f845460d3af759c6826f1ccff95e8a575c504ab6dd5891e8ac29d2b5f5e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku829518.exe
    Filesize

    311KB

    MD5

    9cee62c5febc9ef6c9b0d847c9f4a08e

    SHA1

    a7992c252551f41c0167cd3b4bee1ec527a9b083

    SHA256

    20b05c58bb129a8a809ac65f700beb3686ee7b5e7daece753a27172806e993d9

    SHA512

    c8aa122c63c8d2c20a6dd88224af7c21d139cddf2c9062fe40e735ea58bb6faf682fc84a116c129f6a06cf5f2089d24ca535b8374aca323612047fddae54cf48

    Download Submit

  • memory/2856-62-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-22-0x00000000024F0000-0x0000000002536000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2856-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2856-58-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-23-0x0000000004D10000-0x00000000052B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2856-24-0x00000000026A0000-0x00000000026E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2856-46-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-86-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-84-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-82-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-60-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-78-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-56-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-74-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-72-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-70-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-68-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-66-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-64-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-934-0x0000000005900000-0x000000000593C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2856-80-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-933-0x00000000058E0000-0x00000000058F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2856-76-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-55-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-52-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-50-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-48-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-44-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-42-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-40-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-38-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-36-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-34-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-32-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-88-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-30-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-28-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-26-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-25-0x00000000026A0000-0x00000000026DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2856-931-0x00000000052C0000-0x00000000058D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2856-932-0x0000000004BB0000-0x0000000004CBA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3932-16-0x00007FFF4AF73000-0x00007FFF4AF75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3932-14-0x00007FFF4AF73000-0x00007FFF4AF75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3932-15-0x0000000000100000-0x000000000010A000-memory.dmp

    Filesize

    40KB

    Download