Overview

overview

10

Static

static

3

e5980f9627...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5980f9627c4722153d9b9332a4e59c61c7a3721ea635e375fa0f9374b87337b.exe

  • Size

    556KB

  • MD5

    d7c9fd0694d5819b0b582f073efede8b

  • SHA1

    7be630c65692f7a2a83ca293a7274293e6b7bf74

  • SHA256

    e5980f9627c4722153d9b9332a4e59c61c7a3721ea635e375fa0f9374b87337b

  • SHA512

    5a3b97c48521beaa274655019a6616331fb500098d0a04a1a0c7365bdc9c88bf2f82b1bdd0467ea140b271e53482720a1e0628d957e84f118a247b3f15776b5b

  • SSDEEP

    12288:rMr/y90kOUR48aeDTU3BzRFfwQgKdjoVFhq2q6R:My64vQB0YUdCg

Score
10/10
healerredlineruzhpediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ruzhpe

C2

pepunn.com:4162

Attributes
  • auth_value

    f735ced96ae8d01d0bd1d514240e54e0

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5980f9627c4722153d9b9332a4e59c61c7a3721ea635e375fa0f9374b87337b.exe
    "C:\Users\Admin\AppData\Local\Temp\e5980f9627c4722153d9b9332a4e59c61c7a3721ea635e375fa0f9374b87337b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkxT1501yS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkxT1501yS.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53AL94pW98.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53AL94pW98.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5036
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkHM12tg81Uj.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkHM12tg81Uj.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkxT1501yS.exe
    Filesize

    411KB

    MD5

    b9c8862da223c315f1456b55bc294d07

    SHA1

    273df9467248e7ebb04149fc621e0adeaa6f0db1

    SHA256

    6b9030d6877a10e5020bced33672f7070b820998817f4ff1a89e24f6ab118b1f

    SHA512

    cf4e3dbfa4442ce31f8b9420aeb1b8cbe5427c4ac4a4002ebb322e525dbd5dcc252010c33bb0aa96618166cc93ce1f663128528d6b1f7e64c7f5a3529e8dd7b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53AL94pW98.exe
    Filesize

    18KB

    MD5

    85b7aac0bd10332a201a79f9c720a343

    SHA1

    483d67a474975f097f6dca1a21bfdb5ed5d7fcd9

    SHA256

    ca15f35b1de5d2e5b613a06993bf040e259511f0ccf50aad7da1c82527395d8b

    SHA512

    ab65107a7f56659eb3c867dc43bb8e6adab193e78e5640065a66a66f011d740efbe33a73092001928319ce44929f1b9ec77f2276daca4e5bd304a18b8dd0455d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkHM12tg81Uj.exe
    Filesize

    410KB

    MD5

    97581d18424b6968bffda63f4e27c2b0

    SHA1

    501bc8daae8308a502ceae32244e79e55d2282c3

    SHA256

    99908812a3e7d39049e6a424c5eaed09d067384e8997d55ea8804be915a6df30

    SHA512

    bb82a81e022d658c76192e97266feec3731260ac514f7f0c12ee96a9a81c8947c7ac756969b3671c1eef648a69f3bb39ec0fb3fb4cd4d0de272d3f2aeec2b1ba

    Download Submit

  • memory/3392-64-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-932-0x0000000007FF0000-0x00000000080FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3392-26-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-22-0x0000000007270000-0x00000000072B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3392-23-0x00000000073F0000-0x0000000007994000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3392-24-0x00000000072F0000-0x0000000007334000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3392-25-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-76-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-88-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-87-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-84-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-83-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-80-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-78-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-74-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-73-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-70-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-68-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-67-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-28-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-56-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-30-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-60-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-54-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-52-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-50-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-48-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-44-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-43-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-931-0x00000000079A0000-0x0000000007FB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3392-933-0x0000000008130000-0x0000000008142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3392-62-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-934-0x0000000008150000-0x000000000818C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3392-40-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-38-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-58-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-46-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-36-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-935-0x00000000082A0000-0x00000000082EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3392-34-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3392-32-0x00000000072F0000-0x000000000732E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5036-16-0x00007FFC27673000-0x00007FFC27675000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5036-15-0x0000000000330000-0x000000000033A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5036-14-0x00007FFC27673000-0x00007FFC27675000-memory.dmp

    Filesize

    8KB

    Download