Overview

overview

10

Static

static

3

314e454332...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    314e4543322f9878edccc8553aed6967370f2661a9f12cbf6e477bdefa8f1c6a.exe

  • Size

    665KB

  • MD5

    91b9f5e5152ceb011fb28b84aaa25d19

  • SHA1

    fb2e657ee29a0d1ac5f6452d8719929b9d5e3537

  • SHA256

    314e4543322f9878edccc8553aed6967370f2661a9f12cbf6e477bdefa8f1c6a

  • SHA512

    1689e34d5769ae4346db0e55c88622e35aa063a78b007a7733f29ae719dd0ba65f3a0d032348702d0a911e21e2fde0209d8f660f2d9f42990b5dca36abfc13b3

  • SSDEEP

    12288:DMroy90AtK3oMVLZizoMEhFb9kEw+eN2JGveq/WpJA4otRN2bwf24LHgJHYU1o7:/yPMY+izoPFmV2JGWq+pJAbfN2L4EpW

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\314e4543322f9878edccc8553aed6967370f2661a9f12cbf6e477bdefa8f1c6a.exe
    "C:\Users\Admin\AppData\Local\Temp\314e4543322f9878edccc8553aed6967370f2661a9f12cbf6e477bdefa8f1c6a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650089.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2791.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2791.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1080
          4⤵
          • Program crash
          PID:968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1111.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1111.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4984
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 2116
    1⤵
      PID:1632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650089.exe
      Filesize

      523KB

      MD5

      b7429bb54bfcb0df6ad94fc732666c97

      SHA1

      b34b93294d44ad86cf06c7a931f007dd0a99e69c

      SHA256

      b3d6f2c56ec3d3fa92faab89732f53c4b39808926491b1655d56ce00ee3f6016

      SHA512

      2e38637d52bcdecd76effefb07d55d73ce4773bdec6e78c7471244e5242358591640f3b6578a849b539a4a55f9efae85382d83fa5d8427a5f85a62250158c9e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2791.exe
      Filesize

      294KB

      MD5

      e0aaec6635bc9350fa1088aa082ccdd5

      SHA1

      2d08d8a8d81a616fa153cb3cbd5692ddface33ab

      SHA256

      aaf82a518f3426ce61b1cd693f03b4bdc805a4f13d46a5183dfbf089569a5afe

      SHA512

      1436add336c7ea386a4dbb70330305584957ece196ee4efac34584a667cd734968a523428cbca02a95a7002b2b070673ab63570cff72fdff30a8924d2574e177

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1111.exe
      Filesize

      353KB

      MD5

      564d3c77da4b953bea991d4b3cd75345

      SHA1

      e62304d136ebf13b469f6991535d593c1b0085bb

      SHA256

      4486d0cdd95a67ae4899776aed97cdaa0dbe654ac59350ac1df5f70bb1fe8627

      SHA512

      8f61d80203a66cdce63136699402ad1538295465611e07fbfb77bfb7b256230ce211d4a7c19204ab1c10c0ebf3d1ba1d55d6f921fb3234db30762a5c626cd78e

      Download Submit

    • memory/2116-15-0x00000000009B0000-0x0000000000AB0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2116-16-0x0000000002450000-0x000000000247D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2116-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2116-18-0x0000000000400000-0x00000000007FE000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2116-19-0x0000000002520000-0x000000000253A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2116-20-0x0000000004F40000-0x00000000054E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2116-21-0x0000000004DC0000-0x0000000004DD8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2116-49-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-47-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-45-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-43-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-41-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-39-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-37-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-35-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-33-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-31-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-29-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-27-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-25-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-23-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-22-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2116-50-0x00000000009B0000-0x0000000000AB0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2116-51-0x0000000002450000-0x000000000247D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2116-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2116-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2116-55-0x0000000000400000-0x00000000007FE000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4984-61-0x0000000004D30000-0x0000000004D76000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4984-62-0x00000000053D0000-0x0000000005414000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4984-66-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-76-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-96-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-94-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-92-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-90-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-88-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-86-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-82-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-80-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-78-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-74-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-72-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-70-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-68-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-84-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-64-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-63-0x00000000053D0000-0x000000000540F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4984-969-0x0000000005440000-0x0000000005A58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4984-970-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4984-971-0x0000000005C20000-0x0000000005C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4984-972-0x0000000005C40000-0x0000000005C7C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4984-973-0x0000000005D90000-0x0000000005DDC000-memory.dmp

      Filesize

      304KB

      Download