Overview

overview

10

Static

static

3

256c15a088...c4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    256c15a088c7ce4f51ee7227efd60d78d411afb518d97ced9b21ee71bdb8c7c4.exe

  • Size

    696KB

  • MD5

    76c8b5ff24f8c9477f8696118c0a8a25

  • SHA1

    56f850594592f6ecf9dd93f344c3ff5be91193d2

  • SHA256

    256c15a088c7ce4f51ee7227efd60d78d411afb518d97ced9b21ee71bdb8c7c4

  • SHA512

    24418547efa642ffe03b192521da7e653d0a9e439c72bd887e2258349183946ffd32d1efaa5197d3bb995e32c67777ee3620a93720cec0f1f120522c23226f38

  • SSDEEP

    12288:9Mrhy90HHpLMNb0Bh40JH8CXIaDzHLkUc4O4twMCzYpVvA9ZYIHr4AtSC:YyUKNb8hdcqIOjhBwMNS9SI3d

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\256c15a088c7ce4f51ee7227efd60d78d411afb518d97ced9b21ee71bdb8c7c4.exe
    "C:\Users\Admin\AppData\Local\Temp\256c15a088c7ce4f51ee7227efd60d78d411afb518d97ced9b21ee71bdb8c7c4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401122.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401122.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4081.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4081.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1064
          4⤵
          • Program crash
          PID:4824
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8858.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8858.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:804
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2372 -ip 2372
    1⤵
      PID:2336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401122.exe
      Filesize

      554KB

      MD5

      830ab1b8a9222683fa4971102fed8cf5

      SHA1

      912f7f9ac7a4e0cc6b3eb54def29a3fd2892c1ac

      SHA256

      44a90b0b467485ab7f5668f3af12ed0f9c338ce13b460bbcefb9487f5206e14f

      SHA512

      88d01d9f2cefb3b01f3a7266dc13c36ddcdbb8e658160e4cd94f4dec8ea557d3cbd78945272825328bf730e97005648bbe4ec3419e28c820cfaf52b5758ce7ab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4081.exe
      Filesize

      347KB

      MD5

      86ed77437089e9d7e4cef084bf095f8f

      SHA1

      06b5b118578049e24a4707f4c81a2c09a49d5f90

      SHA256

      bfc94a49633621bbd5d4e5a379b9def929a1cc9f79283d8fd72d0445313d193b

      SHA512

      2da8d9959b17da34ae026878efac0d7944ad212c9b39be95d9323db7e6bd090a63c676e5b6696c23206e585fe9958c6812512da53d8f421bfad4b9e81aa5b613

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8858.exe
      Filesize

      405KB

      MD5

      474136e2c4af38d9629e0a1c90df51dc

      SHA1

      32b744cc7f882ce7a7afe22da80018f4f0f69f36

      SHA256

      4e9aca9b59bf24d6106ebfff8ec3f27f7f4a7d75384cb8da0553723930fae25d

      SHA512

      2efaa27aed9ab381623423783f9909840117df738e98010223f1fc8ebdf79ce4b3b9064df3454ff9ec008c451c85808435fc3d16fc319505a427903943a2fc8d

      Download Submit

    • memory/804-75-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-79-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-969-0x0000000007E80000-0x0000000007F8A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/804-968-0x0000000007860000-0x0000000007E78000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/804-63-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-65-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-67-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-69-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-71-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-73-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-971-0x0000000007FD0000-0x000000000800C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/804-972-0x0000000008120000-0x000000000816C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/804-77-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-970-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/804-81-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-83-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-87-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-89-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-91-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-93-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-95-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-62-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-85-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/804-61-0x00000000071D0000-0x0000000007214000-memory.dmp

      Filesize

      272KB

      Download

    • memory/804-60-0x0000000004CA0000-0x0000000004CE6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2372-41-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-54-0x0000000000400000-0x0000000002B84000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/2372-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2372-51-0x0000000000400000-0x0000000002B84000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/2372-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2372-50-0x0000000002E70000-0x0000000002F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2372-49-0x0000000002C60000-0x0000000002C8D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2372-21-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-22-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-24-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-28-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-30-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-32-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-34-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-36-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-38-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-42-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-45-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-46-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-48-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-26-0x00000000047C0000-0x00000000047D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2372-20-0x00000000047C0000-0x00000000047D8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2372-19-0x0000000007530000-0x0000000007AD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2372-18-0x0000000004760000-0x000000000477A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2372-16-0x0000000002C60000-0x0000000002C8D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2372-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2372-15-0x0000000002E70000-0x0000000002F70000-memory.dmp

      Filesize

      1024KB

      Download