Overview

overview

10

Static

static

3

11495c1726...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11495c17267fca2a1abe8222268f9a159eaf147cb233c438d1397b6ec26b1b6a.exe

  • Size

    611KB

  • MD5

    7d8437c30dbb86a08e82185927209ba4

  • SHA1

    8a43407539cec635918a8b97a2a926af61264142

  • SHA256

    11495c17267fca2a1abe8222268f9a159eaf147cb233c438d1397b6ec26b1b6a

  • SHA512

    80107e9879fe4fbc277ae70c7bd647eeeefa1ebaeea914f9703550e7a93e65a7c92b81f34f3bb36412d01e398a70c0088e4389be419a1531dd9ea02cc2e8f759

  • SSDEEP

    12288:Vy90B7JllguaZxDSgxx9veGtVXfdkUTxiv1mMW0I3X4u:VyUVjarn5nVX1kw3h4u

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11495c17267fca2a1abe8222268f9a159eaf147cb233c438d1397b6ec26b1b6a.exe
    "C:\Users\Admin\AppData\Local\Temp\11495c17267fca2a1abe8222268f9a159eaf147cb233c438d1397b6ec26b1b6a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st873977.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st873977.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53306906.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53306906.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp934841.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp934841.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st873977.exe
    Filesize

    457KB

    MD5

    d1a8031b37b5dfd394c50c874e410ceb

    SHA1

    5bbbd5fe0011f5a2df13c638687ccf881d3a959a

    SHA256

    35188434453233cf8d1f52904a2a03ec9478bba18a04a0822e0f57a19c2de0ac

    SHA512

    373655dbbaee1d37c56874519c8398bda41c7ce53a487c5e4ef3efbb9d72267c083e55d724aad7087919f4125a8e36029853f136e8b7e2633c1cdb9720aefce8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53306906.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp934841.exe
    Filesize

    459KB

    MD5

    28f99b8a9138c1fe1f393e5ce1136419

    SHA1

    f64fa48f6fc5d9796016c38e3aede39073157bf6

    SHA256

    56cc49922caf6cdbbcde3a4a68274fb10e74d96d40acca059ef23f3ca81ed3b2

    SHA512

    0aeceef22789613828910ee20421255519c4b42295c82313a77d98812768a71c53e24b3da673e4e2f4a93842d0b2dd32b7e1d5ef7253b6d21edcdb31a7a52ef6

    Download Submit

  • memory/3808-14-0x00007FFFAD773000-0x00007FFFAD775000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3808-15-0x0000000000010000-0x000000000001A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3808-16-0x00007FFFAD773000-0x00007FFFAD775000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5036-64-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-52-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-24-0x0000000005410000-0x000000000544A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5036-28-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-34-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-88-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-86-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-84-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-80-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-78-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-76-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-74-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-72-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-70-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-68-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-66-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-22-0x0000000004D80000-0x0000000004DBC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5036-62-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-58-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-56-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-54-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-23-0x0000000004E20000-0x00000000053C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5036-50-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-48-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-46-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-44-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-40-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-38-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-36-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-32-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-30-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-82-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-60-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-42-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-26-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-25-0x0000000005410000-0x0000000005445000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5036-817-0x0000000007910000-0x0000000007F28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5036-818-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5036-819-0x0000000007FC0000-0x00000000080CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5036-820-0x00000000080E0000-0x000000000811C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5036-821-0x0000000002750000-0x000000000279C000-memory.dmp

    Filesize

    304KB

    Download