Overview

overview

10

Static

static

3

0f6ce02639...df.exe

windows10-2004-x64

10

17dbf09aca...d0.exe

windows7-x64

3

17dbf09aca...d0.exe

windows10-2004-x64

10

1b624e343d...55.exe

windows10-2004-x64

10

2faa75c50b...6d.exe

windows7-x64

3

2faa75c50b...6d.exe

windows10-2004-x64

10

4be1f370e8...6b.exe

windows7-x64

3

4be1f370e8...6b.exe

windows10-2004-x64

10

576cad65a8...60.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

6eeb3d69d9...69.exe

windows7-x64

3

6eeb3d69d9...69.exe

windows10-2004-x64

10

77b8709187...06.exe

windows7-x64

3

77b8709187...06.exe

windows10-2004-x64

10

7f4e227924...bb.exe

windows7-x64

3

7f4e227924...bb.exe

windows10-2004-x64

10

8a870280a0...35.exe

windows7-x64

3

8a870280a0...35.exe

windows10-2004-x64

10

8db6f54494...1f.exe

windows10-2004-x64

10

b21367ffaa...ef.exe

windows10-2004-x64

10

b62068be50...da.exe

windows10-2004-x64

10

be5114d10d...f3.exe

windows10-2004-x64

10

d191282ff4...7a.exe

windows10-2004-x64

10

de9167b772...91.exe

windows10-2004-x64

10

f6dc0b4c65...d6.exe

windows10-2004-x64

10

f85eca1ce9...65.exe

windows7-x64

3

f85eca1ce9...65.exe

windows10-2004-x64

10

f8dfa98c4e...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe

  • Size

    308KB

  • MD5

    d5f61fc6a8c52e0a93619aa88abf0823

  • SHA1

    e8ab904b74f798424102a1739f810f09f1987d60

  • SHA256

    6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

  • SHA512

    3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f

  • SSDEEP

    6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8

Score
10/10
healerredlinedropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
    "C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4836
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe
      2⤵
      • Executes dropped EXE
      PID:4328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe
    Filesize

    175KB

    MD5

    ddacfe0ab3780ff5989c3f2c32e681cd

    SHA1

    ffeeedaf65d9e6d3634d263d6a42a703777d567e

    SHA256

    3206d9f91f805541bfe3ef067f2b41572a9c7c558db98e8473bb5d7dde6bca05

    SHA512

    bfd8c9a4909bdeca40450a24570fe6031a7c23cc2586c913f944ba2242121b8aad3133fcdbaf55546a50302fbd0894229becc12f4d721848903a5f29aa88e13f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe
    Filesize

    136KB

    MD5

    100120265e59b27a64574c737cd3dd59

    SHA1

    6d525c91ab327ab0fa09dd23e50fb11198d0c8f0

    SHA256

    20e7be4a67709e8af75acd6d7f91f7818e1b85e7cc10690c9904f968f207c46b

    SHA512

    203545141f943c1e5d81b2c105a0db41a49eb9fec335e8bb7cfd63529cfc50a9ce8a7dc49b5059ad7dd7b135a6796dd5c7665b31c6a916a2ccdab31edf08bee4

    Download Submit

  • memory/4328-53-0x0000000007D10000-0x0000000007D5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4328-52-0x0000000007C90000-0x0000000007CCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4328-51-0x0000000007D60000-0x0000000007E6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4328-50-0x0000000007C30000-0x0000000007C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4328-49-0x00000000081D0000-0x00000000087E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4328-48-0x0000000074020000-0x00000000740CB000-memory.dmp

    Filesize

    684KB

    Download

  • memory/4328-47-0x0000000000ED0000-0x0000000000EF8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4836-40-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-13-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-34-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-32-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-30-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-28-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-26-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-24-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-41-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4836-22-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-14-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-36-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-18-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-16-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-43-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4836-38-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-20-0x0000000005080000-0x0000000005092000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4836-12-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4836-11-0x0000000005080000-0x0000000005098000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4836-10-0x0000000004A90000-0x0000000005034000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4836-9-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4836-8-0x0000000004A10000-0x0000000004A2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4836-7-0x000000007407E000-0x000000007407F000-memory.dmp

    Filesize

    4KB

    Download