Overview

overview

10

Static

static

3

657bd8865d...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    657bd8865db52c1fc6209c1bdc61986f24081aee6d30d3d36396603ab856afb6.exe

  • Size

    563KB

  • MD5

    baf21529603c01e900cee5ae3dd3ebc4

  • SHA1

    6bd2f89ea18585d5a8d394b741a68bd9a69e659f

  • SHA256

    657bd8865db52c1fc6209c1bdc61986f24081aee6d30d3d36396603ab856afb6

  • SHA512

    c0515e4841df7b2b2068b84de4c49dacd8dd7d2ca4ed9ef2fc2cb37ecd4a12c2430f7e5c0873e295dd47888f90984b4423b4efdd3a25f0419e44210a5600b0bf

  • SSDEEP

    12288:ay90LvvRgYszTkvmI6X4I2ajLyuDMSzbZIBDFl97mGCHP:ay2gc64I2a3yw8RXiGCHP

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\657bd8865db52c1fc6209c1bdc61986f24081aee6d30d3d36396603ab856afb6.exe
    "C:\Users\Admin\AppData\Local\Temp\657bd8865db52c1fc6209c1bdc61986f24081aee6d30d3d36396603ab856afb6.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAL3178.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAL3178.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it804167.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it804167.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp758612.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp758612.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAL3178.exe
    Filesize

    409KB

    MD5

    f491b393a818d6e4fcfbbfea8aee7852

    SHA1

    e7108ced21d94d62cd021a67c31d03f20420627f

    SHA256

    5fbef46b723e7929b0b82ff0c6c8210d28b448d879a8cc3a532185a2e3099c05

    SHA512

    decad7825221fd230b40b143a71829f85e5f2939189413acc5fcce89aee187c16537b547a53281fa6218b084285f67d03d9a680da39f7316bc0bc9f0254c51d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it804167.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp758612.exe
    Filesize

    359KB

    MD5

    7bf6f99e928e162f824d7742b653fba6

    SHA1

    9e6e2bb729741bd7dded3d0eb41091a8d0be9a28

    SHA256

    bd500b6d2ce9d1478b9dea63c4dfe4dc2da7b0785ff2054387d9dc527afa67e4

    SHA512

    44f577f981c45573d435b3c5565a43d525d00e14777c6257ce70239c08b67ead2acc6bde6b8bfb6fdbb17c0bd88f7f25928ebd610813c71df084499ec44f0e51

    Download Submit

  • memory/2156-64-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-22-0x00000000048E0000-0x000000000491C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2156-821-0x0000000004B60000-0x0000000004BAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2156-58-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-23-0x00000000073E0000-0x0000000007984000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2156-24-0x0000000004C50000-0x0000000004C8A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2156-28-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-42-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-88-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-86-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-62-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-82-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-57-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-79-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-76-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-74-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-70-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-68-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-66-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-820-0x000000000A4D0000-0x000000000A50C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2156-85-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-819-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2156-80-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-54-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-52-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-50-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-48-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-46-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-44-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-40-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-38-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-36-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-34-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-32-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-30-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-72-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-60-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-26-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-25-0x0000000004C50000-0x0000000004C85000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2156-817-0x0000000009D10000-0x000000000A328000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2156-818-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4244-15-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4244-14-0x00007FFA2EB13000-0x00007FFA2EB15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4244-17-0x00007FFA2EB13000-0x00007FFA2EB15000-memory.dmp

    Filesize

    8KB

    Download