Overview

overview

10

Static

static

3

062bf5eda9...2b.exe

windows10-2004-x64

10

16b83c8926...86.exe

windows10-2004-x64

10

1d059ca891...d4.exe

windows10-2004-x64

10

51d640efcf...44.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

764d92d88b...5f.exe

windows10-2004-x64

10

853890cb43...68.exe

windows10-2004-x64

10

94cb7f4064...ae.exe

windows10-2004-x64

10

b37eb33077...f6.exe

windows10-2004-x64

10

b813f799e9...17.exe

windows10-2004-x64

10

c1a9af1ad6...d5.exe

windows10-2004-x64

10

cc6d978c1f...21.exe

windows10-2004-x64

10

cfdc6cd562...d3.exe

windows10-2004-x64

10

e81854abc9...1a.exe

windows10-2004-x64

10

eaef827c83...65.exe

windows7-x64

3

eaef827c83...65.exe

windows10-2004-x64

10

ed835b70d5...6c.exe

windows10-2004-x64

10

f48c36cb91...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae.exe

  • Size

    307KB

  • MD5

    24113d3ed2dc8ba8789b2874addb0750

  • SHA1

    2901dff1dd1b5b619d48c8d04d22c185922e651b

  • SHA256

    94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae

  • SHA512

    409754870b1cf18269d84a798f69e11cb54540d12217fc0674524ef0e3d42ce38d199d45b7e1b7cb96a70fff87704561b6208bb58bc2628881b9a3d7422aecc7

  • SSDEEP

    6144:Kxy+bnr++p0yN90QEA5F5OYc1u31g4TBylzQbR/JOF:HMriy90mxc1u31TTEtQb1JOF

Score
10/10
healerredlinedropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae.exe
    "C:\Users\Admin\AppData\Local\Temp\94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
      2⤵
      • Executes dropped EXE
      PID:3964
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:3268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
    Filesize

    175KB

    MD5

    a488df49a762065f75f41ee76c2215b4

    SHA1

    6ffd0bf006ca60251cf8b298891d317693885fe9

    SHA256

    cf8fd74e3f74fb3dafb881e7070287a7ad77296cbaab59a0b8968de37365c0d3

    SHA512

    5480aa133771076a21c984512f42a9020b012f7735960b05de7908f7bc13a8944bfcdaa4a28415ac6395e4f86e96c29251dbae9284917ce7e23eb623a79477f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
    Filesize

    136KB

    MD5

    ea7424a74eacf1d89358ccbde8484098

    SHA1

    d66cac767a565053916ba6604ca5272d2d0e17aa

    SHA256

    ed28be548a5ca5d75c2bf5ec47ba896d4f4e6916abee3cf04dca41d9fd87249a

    SHA512

    c50b3c66646a429830eb4c90fff4bacf764c9cc4ced25f1b854b3d77a1a27e9aebc6d1c28330062e4bc2adc0a603bc75a5fe4be6d7a64449a7664f8d2ffb70fc

    Download Submit

  • memory/3036-17-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-10-0x00000000049C0000-0x0000000004F64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3036-15-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-9-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3036-13-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-39-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-40-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3036-38-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-33-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-31-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-29-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-24-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-21-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-19-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-8-0x0000000002340000-0x000000000235A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3036-11-0x0000000002540000-0x0000000002558000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3036-35-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-27-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-25-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-12-0x0000000002540000-0x0000000002552000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-42-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3036-7-0x00000000740DE000-0x00000000740DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3964-47-0x00000000005A0000-0x00000000005C8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3964-46-0x0000000074080000-0x000000007412B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/3964-49-0x00000000072C0000-0x00000000072D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3964-50-0x0000000007430000-0x000000000753A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3964-48-0x00000000078C0000-0x0000000007ED8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3964-52-0x0000000007360000-0x000000000739C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3964-51-0x0000000074080000-0x000000007412B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/3964-53-0x00000000073A0000-0x00000000073EC000-memory.dmp

    Filesize

    304KB

    Download