Overview

overview

10

Static

static

3

a5e7ac0e97...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5e7ac0e97f3c00dbdac84bff297997d4dc41c57710c1e932c7eebfee7fefd02.exe

  • Size

    537KB

  • MD5

    9db2701211a9182af85bb3008541c488

  • SHA1

    d2157c97b37f3d02f1356277c96fcac1fa76353b

  • SHA256

    a5e7ac0e97f3c00dbdac84bff297997d4dc41c57710c1e932c7eebfee7fefd02

  • SHA512

    eb5e9a2292a4db12aa8d284851d30bccc986b5084d894a2fa8a70062142d6f58cf2a8bf4217ba726057915c5f421306550f92e02fd8d489d206dd06475c1e53b

  • SSDEEP

    12288:XMrky90pHABwB9GHxsDkIE5dHiPrU92HPwPcIT67UAYV0:7yyoT3CPrDvwEOAUAK0

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5e7ac0e97f3c00dbdac84bff297997d4dc41c57710c1e932c7eebfee7fefd02.exe
    "C:\Users\Admin\AppData\Local\Temp\a5e7ac0e97f3c00dbdac84bff297997d4dc41c57710c1e932c7eebfee7fefd02.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziup4268.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziup4268.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr440964.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr440964.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3296
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku671262.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku671262.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziup4268.exe
    Filesize

    395KB

    MD5

    c5718b5542027232ea39b2c9753d0652

    SHA1

    41b408a485bcf069dba085ab8cad7a1e6c38474f

    SHA256

    2d40ffd5e0aee8c1173beb3e8850b7722c53c0bc30e7d434db025a367de6bd37

    SHA512

    9fea1faa451adef2b87631fed08198ec69b40f8c60682bc7e10ae7fa5a2c68b7b6785a942e3e3270d180f01d7aa935d3b8c51979c5afcf633fd105eda0e9f93f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr440964.exe
    Filesize

    14KB

    MD5

    f67c67dac1e8437abc78b55343a593a6

    SHA1

    c06ad86b64abb3608bb3d65cf3b58b82dbe62b9f

    SHA256

    644f81148a25c02469849735d32f1a75dc72e6671e9c44ce028f953857949bef

    SHA512

    4a9ce1d78010e4941fee0810734a0131b81a2e6639baa447aa0a45849eef0e9025db99e6edfca09f6f6b753b650461af91593d7b9137da7c121fb780acdea970

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku671262.exe
    Filesize

    352KB

    MD5

    ece2dc448e0c8cfeda88b1d80d3bdc9a

    SHA1

    1e82af807152e69360fa2c60bf29063ba3c8453e

    SHA256

    6ebe0a62fe49423bfb208340d2a01faec8c47b6ed9759c3d349639f6650e6901

    SHA512

    ea4461e2349295f29c451f73e822c279c6b3702ca697029ae2fa135aab1fbc767f5f4a151c02d37b256725d1c393d2d8f5e829205093e6fa7c4abb2f3104a1a2

    Download Submit

  • memory/1240-64-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-22-0x00000000027F0000-0x0000000002836000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1240-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1240-60-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-23-0x0000000005090000-0x0000000005634000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1240-24-0x0000000002AC0000-0x0000000002B04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1240-30-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-38-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-88-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-86-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-62-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-82-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-56-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-76-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-74-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-72-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-70-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-68-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-66-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-934-0x0000000005C60000-0x0000000005C9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1240-84-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-933-0x0000000005040000-0x0000000005052000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1240-80-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-54-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-52-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-51-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-48-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-46-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-44-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-42-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-40-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-36-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-34-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-32-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-28-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-78-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-58-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-26-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-25-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1240-931-0x0000000005640000-0x0000000005C58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1240-932-0x0000000004F00000-0x000000000500A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3296-16-0x00007FF9748C3000-0x00007FF9748C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3296-14-0x00007FF9748C3000-0x00007FF9748C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3296-15-0x0000000000F90000-0x0000000000F9A000-memory.dmp

    Filesize

    40KB

    Download