Overview

overview

10

Static

static

3

879cddefdd...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    879cddefdd04de096aa19c799ce82144db7b792c97e1a2ab81bfc0d8823681b3.exe

  • Size

    747KB

  • MD5

    c74892d6263d802b9f25628c1713f130

  • SHA1

    c2b590f8afd24d8c42edd2097a31c87116e60b98

  • SHA256

    879cddefdd04de096aa19c799ce82144db7b792c97e1a2ab81bfc0d8823681b3

  • SHA512

    e497b66d3145d1c08f89ec6574d92a70a30c5f6301170c1552f705cffc553ce872b551a4b41ee71477cff467327c773293e3de7b08d0fa7f8828d47153d214d1

  • SSDEEP

    12288:PAy90f8WPqKYg1wjdv2sk/wrFK/xPMjhEX0uyORi+W8aDs7w1vAf8C:PAym807lsk/mFKJPMY/YQ7wvVC

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\879cddefdd04de096aa19c799ce82144db7b792c97e1a2ab81bfc0d8823681b3.exe
    "C:\Users\Admin\AppData\Local\Temp\879cddefdd04de096aa19c799ce82144db7b792c97e1a2ab81bfc0d8823681b3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650004.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72728759.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72728759.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:264
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 1080
          4⤵
          • Program crash
          PID:3908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160346.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160346.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4724
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 264 -ip 264
    1⤵
      PID:2228
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:2560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650004.exe
      Filesize

      593KB

      MD5

      16aa4f3f4dd4452961fa0223dd8966fb

      SHA1

      30e2d5ed93d236ee99ff0b2184aea0f2e462d661

      SHA256

      0a4ca9978067414dc571d462f2334bd32424bb77d6d9ad78009252ab093563cd

      SHA512

      833ac705f63bf61ccf2438865fd2324f01fdc02c4cc41f8ab13499acf1161c463e0248bd997c50c84fb88677d9ca5487210e17bdb150d222919cfbde121f6952

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72728759.exe
      Filesize

      378KB

      MD5

      2246d54fd68cf066c24def35fb1585f5

      SHA1

      9985c38feb7f6144d5f14ebc5b95d042b02b8334

      SHA256

      569c3dd371fba6913115d16d4a4bac11d14fac77aeff0ed8b68358e8f1d39e20

      SHA512

      f6e50213efa21ef5cf0b4bb29a75f10b99433e5f9977cf73085e6712cf4fe3dabf1777b8cd6b8d23436a21f44d07d102567d5fd42a9ade84152e4df17d2725e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160346.exe
      Filesize

      460KB

      MD5

      a496b1da59034e7566abc8874ce6ea0a

      SHA1

      0554a2d930afbd971c4a1c5f27974331fc74d633

      SHA256

      e136647aad15d5ff4cebae4f4534709f7986ef6be32078ef3a603c2d7d0ffd93

      SHA512

      b50b51d4b68f6e4a150012b323b37a7047e3b72df05ee6870a236c15d6fa2bf29496e1d7c78b20ac1de7c9de6d9a82ec149b8b4567818f9c0d5ca7a9d14293c9

      Download Submit

    • memory/264-15-0x0000000000A50000-0x0000000000B50000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/264-17-0x0000000000400000-0x0000000000804000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/264-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/264-18-0x0000000000400000-0x0000000000804000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/264-19-0x00000000025A0000-0x00000000025BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/264-20-0x0000000005050000-0x00000000055F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/264-21-0x00000000027B0000-0x00000000027C8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/264-49-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-47-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-45-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-43-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-41-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-39-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-37-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-33-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-31-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-29-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-27-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-25-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-23-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-22-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-35-0x00000000027B0000-0x00000000027C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/264-50-0x0000000000A50000-0x0000000000B50000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/264-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/264-54-0x0000000000400000-0x0000000000804000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/264-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4724-60-0x0000000004D70000-0x0000000004DAC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4724-61-0x00000000053E0000-0x000000000541A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4724-77-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-67-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-65-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-63-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-62-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-89-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-95-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-93-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-91-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-87-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-85-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-83-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-81-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-79-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-75-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-73-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-71-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-69-0x00000000053E0000-0x0000000005415000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4724-854-0x00000000078E0000-0x0000000007EF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4724-855-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4724-856-0x0000000007FC0000-0x00000000080CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4724-857-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4724-858-0x0000000004770000-0x00000000047BC000-memory.dmp

      Filesize

      304KB

      Download