Overview

overview

10

Static

static

3

d7fc0af08c...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe

  • Size

    479KB

  • MD5

    7bcf2e753722fce4e136cbbe1117f966

  • SHA1

    e9f85926c3888d93bf7bdcbe582fcfcea7ee17ca

  • SHA256

    d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844

  • SHA512

    a5797cd51b94846ef22520662291a14667573cbe2fe57254ab4076ca82bd66678961e6a3a8505296ba9c79e4ce66d8e8493fe529b133047d9c0114824202eb62

  • SSDEEP

    6144:Kky+bnr+sp0yN90QECge4Xy+xkKUxnwqggIjf1kuJQ4QbCA2P32NKr686MocC3gZ:wMr0y90bzuLxnwuITTQbCNRp6dxg71

Score
10/10
healerredlinedropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
  • Detects executables packed with ConfuserEx Mod 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe
    "C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe
        3⤵
        • Executes dropped EXE
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe
    Filesize

    307KB

    MD5

    43b84af92c8494c5f900585fe2e09764

    SHA1

    2e5627c40ccc8de56e387ca7f44b2a6d178d5a51

    SHA256

    05a1128c35808cf04a3552b238bfc7e0cf1b531695cda5a05b2b26d965e906e2

    SHA512

    887345cd70236ef96bc6dbc648c5f345d1297a7bd37131defd32f00af7fa055785f392e138799527eb608f6016f14caf781bf953a6a6efbb42a2a20a6b4b9160

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe
    Filesize

    175KB

    MD5

    e49886750e95b2674393077cf2ee9b0a

    SHA1

    dc81ee1850826dfedd36382d1b5a5bf913e1a986

    SHA256

    9ad5deeafca80f6bfacfb2290d072b3c8f00e819e295a42e0fb989b0b2edacac

    SHA512

    65c5099fb31e8ff4ffeac09440f2e434e3804e142d440e54ae0052a33e5a116b4fb56c40c4184c7206cf854b8345529bccf94333cf00b551371d55445bf1e2fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe
    Filesize

    136KB

    MD5

    710515fb2c667ad83d8b3547e921f712

    SHA1

    085d65dc42e2b7baa04caf2206f2e9ede48b2591

    SHA256

    05c7f7137651ae6586b92f59e3391c5775a3d28175ac83e89be55843d1c35a1e

    SHA512

    db8f4e21c85715274c9c61a22c638d39d25c098d4921a32c68d9a8cacacf600fcd217a552e12ee074d3ff5f177572c6b4ee10a3592075c0c44bfa58007c70566

    Download Submit

  • memory/2440-59-0x00000000075B0000-0x00000000075FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2440-58-0x0000000007570000-0x00000000075AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2440-57-0x0000000007640000-0x000000000774A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2440-56-0x00000000074D0000-0x00000000074E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2440-55-0x0000000007A70000-0x0000000008088000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2440-54-0x00000000007B0000-0x00000000007D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4440-22-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-19-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-38-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-32-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-30-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-26-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-24-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-42-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-20-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-34-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-28-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-40-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-47-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-46-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-48-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-50-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-45-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-36-0x0000000002420000-0x0000000002432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4440-18-0x0000000002420000-0x0000000002438000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4440-16-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-17-0x0000000004BA0000-0x0000000005144000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4440-15-0x0000000002150000-0x000000000216A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4440-14-0x0000000073D7E000-0x0000000073D7F000-memory.dmp

    Filesize

    4KB

    Download