Overview

overview

10

Static

static

3

45ab7e88e4...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45ab7e88e4a85dc72106191a4706a5c164d078c0f7047faf14f42e93ef26e38f.exe

  • Size

    479KB

  • MD5

    47e959d62630b6ca063eb9b09d548278

  • SHA1

    efc1e73b2eac2919ed0f2b2bbd3279dae2d5db93

  • SHA256

    45ab7e88e4a85dc72106191a4706a5c164d078c0f7047faf14f42e93ef26e38f

  • SHA512

    969bb1ab650477feb85ab663db910f7d00717e5a7c045c84e6b56c7d41dd5ccd645a178c746b068971c62062b882b94730c8ee2b8cf5f2f7b5459a4c27564b8e

  • SSDEEP

    12288:4MrYy90A+aJgJJD5C4YwiBtIE+94NAMvN:wyhJgrVC4WKE+94NDvN

Score
10/10
healerredlinedumuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45ab7e88e4a85dc72106191a4706a5c164d078c0f7047faf14f42e93ef26e38f.exe
    "C:\Users\Admin\AppData\Local\Temp\45ab7e88e4a85dc72106191a4706a5c164d078c0f7047faf14f42e93ef26e38f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2994458.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2994458.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8403840.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8403840.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0221131.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0221131.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2994458.exe
    Filesize

    307KB

    MD5

    1f08ee23c4cc58e52c0aef73936bde17

    SHA1

    03fa9e56bf9bef749c74bc409f29f8bd141a6bd8

    SHA256

    04af685cd5edeb5ba024b4e77aa95be52bd5935a1f87a1d4d501c6e3ba52254a

    SHA512

    af4afeb8d3dafce935a2a969a9ac7bda5ea617c6be5a5bcf494b2e676ea6833cb6c107907af4d76bdaece3c16971362f9aec7698e7db144cbddf48e05ae317c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8403840.exe
    Filesize

    180KB

    MD5

    6a5ca788f75d12c583bbcb2f034eb880

    SHA1

    640984d426c7202feb0cf20070c87b2dc014be83

    SHA256

    0e1f7797b46c0c51c4bac3c8f94df1a8794834f040594d6f79f94f0061cf7670

    SHA512

    1e7c4f0f5f4559322779d1bf4ead16484c060c4d22a20204be478363afa1c79a28705ade5e124f5c66845a57a64afd803b0836180b0001744a7a837de7601f3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0221131.exe
    Filesize

    168KB

    MD5

    833c767f93477b2d56c2b8947286e85c

    SHA1

    797eadac95f078123da3c220219619fbebeb704b

    SHA256

    184ef10a1588a308d0c01cbd2faee6e1b4478ad8d7ae0d25a4f3ad6b5aa54957

    SHA512

    e7b563353adeeff36f6cc68e5edb7fb49689394b21833f319ef43895d79d7a21da8f70d966474041ce210acd6b296024673983cb1a9b159a0262d230d69d4898

    Download Submit

  • memory/1412-62-0x0000000000710000-0x000000000075C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1412-61-0x0000000009F90000-0x0000000009FCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1412-60-0x0000000009F30000-0x0000000009F42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1412-59-0x000000000A000000-0x000000000A10A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1412-58-0x000000000A4C0000-0x000000000AAD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1412-57-0x0000000002350000-0x0000000002356000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1412-56-0x0000000000050000-0x0000000000080000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4956-32-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-20-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-38-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-36-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-34-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-47-0x0000000073CF0000-0x00000000744A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4956-42-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-30-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-28-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-26-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-24-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-22-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-48-0x0000000073CF0000-0x00000000744A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4956-40-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-49-0x0000000073CFE000-0x0000000073CFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4956-50-0x0000000073CF0000-0x00000000744A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4956-52-0x0000000073CF0000-0x00000000744A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4956-19-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-44-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-46-0x0000000002550000-0x0000000002562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4956-18-0x0000000002550000-0x0000000002568000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4956-17-0x0000000004AD0000-0x0000000005074000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4956-16-0x0000000073CF0000-0x00000000744A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4956-15-0x00000000024D0000-0x00000000024EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4956-14-0x0000000073CFE000-0x0000000073CFF000-memory.dmp

    Filesize

    4KB

    Download