Overview

overview

10

Static

static

3

45459a7248...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45459a7248cbe4e2a37efcd23aa999a2f00f7f0cf1b1fd74abe8bcc5b5a506e8.exe

  • Size

    556KB

  • MD5

    0f3096caf53b613cb3f01969d7971950

  • SHA1

    8b5131616d804df38c6f6b4e54fd349dea250f7b

  • SHA256

    45459a7248cbe4e2a37efcd23aa999a2f00f7f0cf1b1fd74abe8bcc5b5a506e8

  • SHA512

    929bc392e16d2718d199d19d2563da6e0b4d9381863f584850506556d3a6c241d24b0041db31e6325fac39cd373a27a6b7ea65de2d018133edd5f5973c989486

  • SSDEEP

    12288:gMrHy90wLa7DOwwV92goOkfkh+22HzKoXYpd+dLTfn:3yrYOB2gZMpTm+dLjn

Score
10/10
healerredlineruzhpediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ruzhpe

C2

pepunn.com:4162

Attributes
  • auth_value

    f735ced96ae8d01d0bd1d514240e54e0

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45459a7248cbe4e2a37efcd23aa999a2f00f7f0cf1b1fd74abe8bcc5b5a506e8.exe
    "C:\Users\Admin\AppData\Local\Temp\45459a7248cbe4e2a37efcd23aa999a2f00f7f0cf1b1fd74abe8bcc5b5a506e8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkiM7112JX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkiM7112JX.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw23Cf16hS19.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw23Cf16hS19.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkhV87KF46Fh.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkhV87KF46Fh.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkiM7112JX.exe
    Filesize

    412KB

    MD5

    bc8586bd68600c7286580005812ad5f9

    SHA1

    447328903feea36658a70808d90a7e872df7a1a2

    SHA256

    90344b50ed05e264454f46e7a79c42cd8bd811ec6473aeea1e53ee5b4b56f6cf

    SHA512

    bd6ee80536225f3c69c46e7c9ed2a39d328cb2b48926c60dd860757262eec19c0eda8661d54ad987e60d3ed6e041a4a356e82be0ff24dddd2f8d9c3322aaa9ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw23Cf16hS19.exe
    Filesize

    18KB

    MD5

    bb1ef70a873c9cf93a5f8f6c34d34929

    SHA1

    e3c86407578fa12092a389c833d3ef16213b8ab8

    SHA256

    499c2c561bb9de577191ea7e8bef8cf0db4b8b00c8121fabf7f85e980fc97ce7

    SHA512

    5ba610a1dbd91750d093cc3035a56251cd644731805a4e93c6186d83b66629ea1d449026a214fddc560a57bc0fc0067c96bfc696d431e3e60a4d457ac3c43375

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkhV87KF46Fh.exe
    Filesize

    410KB

    MD5

    97581d18424b6968bffda63f4e27c2b0

    SHA1

    501bc8daae8308a502ceae32244e79e55d2282c3

    SHA256

    99908812a3e7d39049e6a424c5eaed09d067384e8997d55ea8804be915a6df30

    SHA512

    bb82a81e022d658c76192e97266feec3731260ac514f7f0c12ee96a9a81c8947c7ac756969b3671c1eef648a69f3bb39ec0fb3fb4cd4d0de272d3f2aeec2b1ba

    Download Submit

  • memory/3036-14-0x00007FFE592B3000-0x00007FFE592B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3036-15-0x00000000006F0000-0x00000000006FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3036-16-0x00007FFE592B3000-0x00007FFE592B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3456-61-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-48-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-24-0x0000000007300000-0x0000000007344000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3456-40-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-42-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-88-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-86-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-84-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-80-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-78-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-76-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-72-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-70-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-68-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-64-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-62-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-22-0x0000000004D80000-0x0000000004DC6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3456-56-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-54-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-52-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-50-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-23-0x0000000007450000-0x00000000079F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3456-46-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-44-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-38-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-36-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-34-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-32-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-30-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-82-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-74-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-66-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-58-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-28-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-26-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-25-0x0000000007300000-0x000000000733E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3456-931-0x0000000007A00000-0x0000000008018000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3456-932-0x0000000008020000-0x000000000812A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3456-933-0x0000000008130000-0x0000000008142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3456-934-0x0000000008190000-0x00000000081CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3456-935-0x00000000082D0000-0x000000000831C000-memory.dmp

    Filesize

    304KB

    Download