Overview

overview

10

Static

static

3

ad8ea84a63...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad8ea84a63a991448454305271e4f8c45cc9966d3f943b4bcc04389fdb43a897.exe

  • Size

    658KB

  • MD5

    77a50efa74789f8f58b49df3bc73e9a8

  • SHA1

    24f72b5c7602d9515494a70b97d58764d0694587

  • SHA256

    ad8ea84a63a991448454305271e4f8c45cc9966d3f943b4bcc04389fdb43a897

  • SHA512

    4dca0953a483fe47a064d4db4f1f5535ef90bb3bb5bc47e747b17c55c9d1435f9155eb5b0dfe6e94641effb5e0fc8b79d32efdcb502770c4832d8dafc46ce1f0

  • SSDEEP

    12288:+Mrjy90kL3tRaKKYbBRuAAkHRm559ohUme5UOEEfjpM0xERPgDlnomthXH/tJ:By1dRmwB44HRm5SPfOvjiPElnDHJ

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad8ea84a63a991448454305271e4f8c45cc9966d3f943b4bcc04389fdb43a897.exe
    "C:\Users\Admin\AppData\Local\Temp\ad8ea84a63a991448454305271e4f8c45cc9966d3f943b4bcc04389fdb43a897.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un609582.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un609582.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1997.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1997.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3932
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1084
          4⤵
          • Program crash
          PID:4988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7015.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7015.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3932 -ip 3932
    1⤵
      PID:2928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un609582.exe
      Filesize

      516KB

      MD5

      426a3f0dd5122b23c5858119205cf7d0

      SHA1

      e0626ad2b1a6409ffbfe6576d9d79e578ca6128b

      SHA256

      4d5d16a4a40511084473b6763484b89f87b84101a7562bd76938b6514a4e007e

      SHA512

      d2964d3b46f992a0a77bd25184bfcce76000016e7319f61e58f1f40aac58796b69ef1e7730099a5bb220270497742acf6b723f16b372333bef7cac8c70e4723d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1997.exe
      Filesize

      236KB

      MD5

      2c46b23f6e60d09ad65379c8da54fa7c

      SHA1

      8e4e7f8cd4126467044fd50f1b740a1130504072

      SHA256

      ee837636a8be63f6ee234ba429bc220467fcfc33cc5a8b09cdc99782ba0e115c

      SHA512

      4e8f1ab884a83111139a4f442b48d5dbaa4527d98a74cad2371049aae1b75f89d49dd6d4181dcf201cc7646098f0abc411b07ce52f8330702b53178807512739

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7015.exe
      Filesize

      294KB

      MD5

      ab63df80897e1655e7a8dc33c0daefe3

      SHA1

      be11009952c9734503d47bcff6f4e3815792ceaa

      SHA256

      5e2b8a884e6bfbb189647e94812e81cb1bc2f68c011a71ce4b5594d019fadb78

      SHA512

      5acfbeae205710e67355395e63f27f2a46178143060acd8dc20638491162648599f66d445ce70d65cba74ea2b9de57a3778eec0b126267d14e143f3258d3fd35

      Download Submit

    • memory/2844-74-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-82-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-970-0x0000000005790000-0x000000000589A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2844-969-0x00000000050F0000-0x0000000005708000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2844-63-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-64-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-66-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-68-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-70-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-72-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-972-0x00000000058F0000-0x000000000592C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2844-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2844-80-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2844-84-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-86-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-88-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-90-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-92-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-94-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-96-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-76-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-78-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-62-0x0000000004AD0000-0x0000000004B14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2844-61-0x00000000025D0000-0x0000000002616000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3932-42-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3932-55-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/3932-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3932-51-0x0000000000610000-0x000000000063D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3932-50-0x0000000000650000-0x0000000000750000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3932-22-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-23-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-49-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-27-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-29-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-31-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-33-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-35-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-37-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-39-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-44-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-45-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-47-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-25-0x0000000002560000-0x0000000002572000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3932-21-0x0000000002560000-0x0000000002578000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3932-20-0x0000000004CE0000-0x0000000005284000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3932-19-0x0000000002280000-0x000000000229A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3932-18-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/3932-16-0x0000000000610000-0x000000000063D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3932-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3932-15-0x0000000000650000-0x0000000000750000-memory.dmp

      Filesize

      1024KB

      Download