Overview

overview

10

Static

static

3

ce5786bac6...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce5786bac68207f603e950c81187003a0a5f31fcaff9c854bf90e949e2f5ecc0.exe

  • Size

    537KB

  • MD5

    421d5bbdbba98d6746ef056f45dbeef0

  • SHA1

    f3b5d681d1c3ce8de6df1a684c559532e08184a3

  • SHA256

    ce5786bac68207f603e950c81187003a0a5f31fcaff9c854bf90e949e2f5ecc0

  • SHA512

    d67c75cf186389951f347788704cfa70baa67d6cc26b9a87e43a970101d887aeba534c16f5bc2e2f6432bb1a598162c9bdcb624642c02e6417b9a0b0b0dc42bc

  • SSDEEP

    12288:IMruy90SkALP0Wvl5Ds2n6qT7zmUKEHEwLOzJfiPpqYS:2yJkALrDs2nPzmykw2iQf

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce5786bac68207f603e950c81187003a0a5f31fcaff9c854bf90e949e2f5ecc0.exe
    "C:\Users\Admin\AppData\Local\Temp\ce5786bac68207f603e950c81187003a0a5f31fcaff9c854bf90e949e2f5ecc0.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilI1578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilI1578.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr319118.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr319118.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku521352.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku521352.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilI1578.exe
    Filesize

    395KB

    MD5

    7bc10b95b14d5647c0e6776948852185

    SHA1

    305807e76ee6deb036fdcfdcf6ff5faf374f7100

    SHA256

    801ee5f2dcc3e87c4cc0ebf62d671cd89edf24595ea0232a37c9980bdee37427

    SHA512

    efbc20f941b8e9a78aa023a9f3dee582e8c2152366f27fd78e246c6071218d47066596dacf777ac4f4503717f32fc3c3ca35f83b58feac3cb470993448551689

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr319118.exe
    Filesize

    14KB

    MD5

    990d34105e99f4ef37d9c9128c0736a3

    SHA1

    69824786e70f737ffb6d5c965081f9b8126d82db

    SHA256

    fd4a1afa0d9fb42afbc6caed0965c11a67fac8199998c4e0f132ad5a10805b31

    SHA512

    777222da0f9e0bc5d91575cf92c4defd7129b99a1d9d1a7fd2aea0e63a0a84e55ba7634355f466f4d78c32265870dec46c59d66536033ade618bae78ecea8736

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku521352.exe
    Filesize

    352KB

    MD5

    68bac3f15b92314e8f0916acf51f8830

    SHA1

    bb6cbbb927f29d105a3014159e7c8b986738dd4f

    SHA256

    c8c4cb6443b89e96123d42adff685b6eae52c4352e4f4c6742249720043f9f05

    SHA512

    4bdd99d3fba0d559ca4cdecda453080246d5eba0963ce632f84ad0db4ba2c4ed55af51718b9997afab6ccf8b9d3b7d184673e9292a31a69e0a5be3b302aa644b

    Download Submit

  • memory/4304-66-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-22-0x0000000002820000-0x0000000002866000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4304-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4304-62-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-23-0x0000000004E80000-0x0000000005424000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4304-24-0x0000000004E00000-0x0000000004E44000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4304-50-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-48-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-46-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-88-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-64-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-82-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-60-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-78-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-76-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-75-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-72-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-70-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-68-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-934-0x0000000005D40000-0x0000000005D7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4304-86-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4304-80-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-58-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-56-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-54-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-52-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-44-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-42-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-40-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-38-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-36-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-34-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-32-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-30-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-28-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-84-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-26-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-25-0x0000000004E00000-0x0000000004E3F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4304-931-0x0000000005440000-0x0000000005A58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4304-932-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4576-16-0x00007FF93FEF3000-0x00007FF93FEF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4576-14-0x00007FF93FEF3000-0x00007FF93FEF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4576-15-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

    Filesize

    40KB

    Download