Overview

overview

10

Static

static

3

e32a929f31...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e32a929f314eafc503a5e9f03732b514ea9ac76e0841d1c403cef54c565fd75d.exe

  • Size

    662KB

  • MD5

    36d1a4ff3c56fc05a292ddbe6e3c7381

  • SHA1

    2a59cb69ebf1316a1c1a4e5b7609a8670cc9b5ac

  • SHA256

    e32a929f314eafc503a5e9f03732b514ea9ac76e0841d1c403cef54c565fd75d

  • SHA512

    d81e33325fd5a46b828668d65e1af1e57af422c5398b18863aed5ccd54a692dc86573fa0e2af990e926299b9b7a969088baefe49a2c47ec8424ea3a175267a59

  • SSDEEP

    12288:PMryy90yyQfEPgH6VqPpxVyr8YAQjwK6IPu33B8oVe2qtd8HDVHNJG:pyN3wGpxVyIY/jwKMqoVe2qtdo5HNw

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e32a929f314eafc503a5e9f03732b514ea9ac76e0841d1c403cef54c565fd75d.exe
    "C:\Users\Admin\AppData\Local\Temp\e32a929f314eafc503a5e9f03732b514ea9ac76e0841d1c403cef54c565fd75d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un782490.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un782490.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8348.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8348.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5096
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4790.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4790.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2280
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un782490.exe
    Filesize

    520KB

    MD5

    dddb7fbfe17131f4429ce3a3d91fe0ae

    SHA1

    484f878dd43a6ea83420d8e968ce5a29bb47f49a

    SHA256

    97c4959db795fb03375829e9033c654d682304191422eab3ae40daa22e5b4df5

    SHA512

    1ede20cce306568055287897299d484634c8d4b604161371bb5a5716ba679eb0d109f6ca97aeacbaf08f2a80fb3104a73958f488614585b23ade1bc6aaf11343

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8348.exe
    Filesize

    236KB

    MD5

    8bc6d8b0c7e75fc98f05f101755f96ef

    SHA1

    f47cbf03b55f989f17b582939491bcca898a03b9

    SHA256

    92e12e0d598fcea764891f0787294d68d6d5555e51f8110a534391f305dc89f9

    SHA512

    78a88b6a97210802d9aa3cf47ccf6b94bda23e5fb90dfe433f6ac7b8b524e46066fca90e7ba48de2d9cf6e463d2a84eac61277d1a8715c609901ce1f484ae760

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4790.exe
    Filesize

    295KB

    MD5

    e54b131def39b696478ddf287306e47a

    SHA1

    890d40dc214be25f965dabe0dbffac1b113a64ea

    SHA256

    ece34eaacaffa89ca67dff538ba6c33921277b1ea6cab96075fd2e7ade7a1203

    SHA512

    37d56e73cae2077664b808e224038d079fc56196fe19396116876472832b692871953acebd6e917db3b4605181bf38949a22e00eef912a48e4a0ad4b463527fe

    Download Submit

  • memory/2280-76-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-80-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-970-0x0000000005850000-0x000000000595A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2280-969-0x0000000005230000-0x0000000005848000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2280-63-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-64-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-66-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-90-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-71-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-72-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-972-0x0000000004C00000-0x0000000004C3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2280-973-0x0000000005A60000-0x0000000005AAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2280-78-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-971-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2280-83-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-84-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-86-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-88-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-92-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-94-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-96-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-74-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-68-0x0000000002570000-0x00000000025AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2280-62-0x0000000002570000-0x00000000025B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2280-61-0x00000000024D0000-0x0000000002516000-memory.dmp

    Filesize

    280KB

    Download

  • memory/5096-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-55-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/5096-56-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5096-52-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5096-51-0x0000000000630000-0x000000000065D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5096-50-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5096-22-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-23-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-25-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-27-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-30-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-37-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5096-21-0x0000000004A40000-0x0000000004A58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5096-20-0x0000000004AA0000-0x0000000005044000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5096-19-0x00000000049D0000-0x00000000049EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5096-18-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/5096-17-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5096-16-0x0000000000630000-0x000000000065D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5096-15-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

    Download