Overview

overview

10

Static

static

3

062bf5eda9...2b.exe

windows10-2004-x64

10

16b83c8926...86.exe

windows10-2004-x64

10

1d059ca891...d4.exe

windows10-2004-x64

10

51d640efcf...44.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

764d92d88b...5f.exe

windows10-2004-x64

10

853890cb43...68.exe

windows10-2004-x64

10

94cb7f4064...ae.exe

windows10-2004-x64

10

b37eb33077...f6.exe

windows10-2004-x64

10

b813f799e9...17.exe

windows10-2004-x64

10

c1a9af1ad6...d5.exe

windows10-2004-x64

10

cc6d978c1f...21.exe

windows10-2004-x64

10

cfdc6cd562...d3.exe

windows10-2004-x64

10

e81854abc9...1a.exe

windows10-2004-x64

10

eaef827c83...65.exe

windows7-x64

3

eaef827c83...65.exe

windows10-2004-x64

10

ed835b70d5...6c.exe

windows10-2004-x64

10

f48c36cb91...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae.exe

  • Size

    307KB

  • MD5

    24113d3ed2dc8ba8789b2874addb0750

  • SHA1

    2901dff1dd1b5b619d48c8d04d22c185922e651b

  • SHA256

    94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae

  • SHA512

    409754870b1cf18269d84a798f69e11cb54540d12217fc0674524ef0e3d42ce38d199d45b7e1b7cb96a70fff87704561b6208bb58bc2628881b9a3d7422aecc7

  • SSDEEP

    6144:Kxy+bnr++p0yN90QEA5F5OYc1u31g4TBylzQbR/JOF:HMriy90mxc1u31TTEtQb1JOF

Score
10/10
healerredlinedropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae.exe
    "C:\Users\Admin\AppData\Local\Temp\94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4028
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
      2⤵
      • Executes dropped EXE
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
    Filesize

    175KB

    MD5

    a488df49a762065f75f41ee76c2215b4

    SHA1

    6ffd0bf006ca60251cf8b298891d317693885fe9

    SHA256

    cf8fd74e3f74fb3dafb881e7070287a7ad77296cbaab59a0b8968de37365c0d3

    SHA512

    5480aa133771076a21c984512f42a9020b012f7735960b05de7908f7bc13a8944bfcdaa4a28415ac6395e4f86e96c29251dbae9284917ce7e23eb623a79477f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
    Filesize

    136KB

    MD5

    ea7424a74eacf1d89358ccbde8484098

    SHA1

    d66cac767a565053916ba6604ca5272d2d0e17aa

    SHA256

    ed28be548a5ca5d75c2bf5ec47ba896d4f4e6916abee3cf04dca41d9fd87249a

    SHA512

    c50b3c66646a429830eb4c90fff4bacf764c9cc4ced25f1b854b3d77a1a27e9aebc6d1c28330062e4bc2adc0a603bc75a5fe4be6d7a64449a7664f8d2ffb70fc

    Download Submit

  • memory/4028-40-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-7-0x00000000749CE000-0x00000000749CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-16-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-11-0x00000000023F0000-0x0000000002408000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4028-12-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4028-34-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-8-0x0000000002270000-0x000000000228A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4028-38-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-36-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-32-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-24-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-22-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-20-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-18-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-10-0x0000000004A20000-0x0000000004FC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4028-14-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-9-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4028-30-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-28-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-26-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4028-41-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4028-43-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4028-13-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4488-47-0x00000000000D0000-0x00000000000F8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4488-48-0x0000000074970000-0x0000000074A1B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/4488-49-0x0000000007560000-0x0000000007B78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4488-50-0x0000000006F70000-0x0000000006F82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4488-51-0x00000000070A0000-0x00000000071AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4488-52-0x0000000074970000-0x0000000074A1B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/4488-53-0x0000000007000000-0x000000000703C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4488-54-0x00000000024B0000-0x00000000024FC000-memory.dmp

    Filesize

    304KB

    Download