Overview

overview

10

Static

static

3

ff480e7b7a...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff480e7b7a29e8722f19c552c052dec0cfc3e5461e97d717729da477554b7d15.exe

  • Size

    925KB

  • MD5

    b928b18dff599c5144770ea4fc35fb97

  • SHA1

    12d0a630a38280abaf191852c8d83970bc2357cb

  • SHA256

    ff480e7b7a29e8722f19c552c052dec0cfc3e5461e97d717729da477554b7d15

  • SHA512

    ffb9e8e9d001be4cb36573ef15e578db696f629fb58cf4096637d6995b2eff4b9f077a7c57bc9812ebd0063c57b2ff7c4695620f6d4161ad7999048fee0a267b

  • SSDEEP

    24576:fyKzGV+VnIGzoTKrpCcxPd+yrps8Ne4z:qKzpBIGzou1pxPde4

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff480e7b7a29e8722f19c552c052dec0cfc3e5461e97d717729da477554b7d15.exe
    "C:\Users\Admin\AppData\Local\Temp\ff480e7b7a29e8722f19c552c052dec0cfc3e5461e97d717729da477554b7d15.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665414.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665414.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un723004.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un723004.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4556
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr633800.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr633800.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2084
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1080
            5⤵
            • Program crash
            PID:3232
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu009756.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu009756.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1208
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2084 -ip 2084
    1⤵
      PID:2904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665414.exe
      Filesize

      661KB

      MD5

      47db0fdcce4e32e5281b484d43b80c4f

      SHA1

      1762352eb2c79276c701603c390858d9f7477218

      SHA256

      8e9601abf169325499432ecbae77690e5a31a7209ec76921284ea4fd7827329a

      SHA512

      df2f54e62dabcc90e77eb9d6c845ca008d6138e13b349a7154b54023318ad67a91c49f3cd3ca0d81b06bec740f0e3e1989ebc103db1b5c023326afe4e1ce42f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un723004.exe
      Filesize

      518KB

      MD5

      c3fe6239e822fe5bb25ad82e1948a61b

      SHA1

      957f4c279dd4c66b8346cb44d08a7ce5ebe81a4f

      SHA256

      c7d601ce4299a275cd94c1bfee348e9c5216cb04c77a793aadaae4b3280b174a

      SHA512

      be61b87d5e59874fbf55c79fd084f3421992446fb01e7d92a4d362fd82c62cb4a32ea9f1772bb66fe35a6bd549b26fa49918aa4a75ab3790b114739c67a65137

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr633800.exe
      Filesize

      238KB

      MD5

      6a05adcc295bc1e3afb63b58aaf223b5

      SHA1

      934a99fd0d0a04154dc5c112ea7838780608ba83

      SHA256

      2ed1a88ba8a870eecb565be01a7a70e0fa0f40056d5dddff5191f20ab97444d3

      SHA512

      25e703491e2fe6ee9637cb1d600634c21910447eed1360564adc45c84cf84b574618393af9bef61827692f241111681cfa586f3c27ef6c6faf043bbe9d7aeb7d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu009756.exe
      Filesize

      297KB

      MD5

      37bbc1db41c46e795a491b4631bb4ad4

      SHA1

      ca5b7e71aed062e8d973fcfc2062f9f42d7414e7

      SHA256

      cda85bedff8208ad8e799a1deb9d194ba54812391d5feb8b2d7eaff745a771bb

      SHA512

      773ceb4a4dd8be41e5a123b0a241d4f2b49f5dde744f1256bbb2a518c3d426b423aaabd6d222fc8a4f98a572c6ce823d9c6f264b7a25cd7753d3db48642b84e0

      Download Submit

    • memory/1208-975-0x0000000005230000-0x0000000005848000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1208-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-976-0x00000000058D0000-0x00000000059DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1208-978-0x0000000005A30000-0x0000000005A6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1208-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-102-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-979-0x0000000005B80000-0x0000000005BCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1208-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-977-0x0000000005A10000-0x0000000005A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1208-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-90-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-92-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-94-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-96-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-98-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-100-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-68-0x0000000004A90000-0x0000000004AD4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1208-67-0x00000000049E0000-0x0000000004A26000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2084-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-62-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2084-61-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2084-59-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2084-58-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2084-57-0x0000000000590000-0x00000000005BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2084-56-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2084-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-44-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-37-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-51-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-53-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-55-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-28-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2084-27-0x0000000004A40000-0x0000000004A58000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2084-26-0x0000000004A70000-0x0000000005014000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2084-25-0x00000000022B0000-0x00000000022CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2084-24-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2084-23-0x0000000000590000-0x00000000005BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2084-22-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download