Overview

overview

10

Static

static

3

0339905c8b...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89.exe

  • Size

    479KB

  • MD5

    aaa6707015e652156725a7089893ed5e

  • SHA1

    b1331420da7c5cba309d9aa5e9b104401556e075

  • SHA256

    0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89

  • SHA512

    4ca6db923632da286d8f58023a01f5edc184fefafe11fdb44059f3e04d11a8e9964a318301b623746d85ed8a4313d97aac6c1998769eb4f5de62947a9a3208ff

  • SSDEEP

    12288:JMrZy90JX2Lx15g2MqJQ5Qb64ShdFygvz4NTSDMp0mqp1:Mylr5g2FK+0hdkg0TSDMpSp1

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89.exe
    "C:\Users\Admin\AppData\Local\Temp\0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe
    Filesize

    307KB

    MD5

    10ad2fb448226789680845e8f8950e91

    SHA1

    fff24f74ec3fa537e4a042e89dd6d49e6e21c704

    SHA256

    41715fe7b51fa890f1f8dc7d0f5c6dec915528f40d53cee9077d4f2a4f9120fd

    SHA512

    9c8d093893d8376345baa5bb5b8320e8466bf45f219a537712d6787b470f1d88638b6326df26c09caec53f0fa8118e14c435861ef2cbf3c585e3063c2a6e75c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe
    Filesize

    175KB

    MD5

    c5a393d4ce32c576c89bdf41524f7888

    SHA1

    adffbae0ac1f18d2d83e5bae3f900ac537bb85a8

    SHA256

    b8e336e6cb7f279db22ad97bbe64efc8401e29667a3388bcd7083b37b461cf3c

    SHA512

    a3b3ca3f15b64cecf220df05a1f8408981cfaadaa8ff296995a10cf81437eac5077df2fb226c11f51831895e6da08a0639b8e326d5b4ff72377c00604d1ae5e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe
    Filesize

    137KB

    MD5

    aa58b7b3574c62db924a54991a5b776d

    SHA1

    0e18b2adc0eb9dd245689381e4c0aa1276d1d9a0

    SHA256

    8d8667c611c544271086cf06704e7daaace3f55c92af6400c720193c50624d2c

    SHA512

    89e09957c6ab03148f9bba35e754f57b9bec63e4f4387578ff4a1232c4b15cfa89485797a2a38e2f54810a2475c65731f4bd4882964dce5f77e4a31a20874730

    Download Submit

  • memory/840-60-0x0000000004ED0000-0x0000000004F1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/840-59-0x00000000079F0000-0x0000000007A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/840-58-0x0000000007AC0000-0x0000000007BCA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/840-57-0x0000000007950000-0x0000000007962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/840-56-0x0000000007F40000-0x0000000008558000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/840-55-0x0000000000C30000-0x0000000000C58000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3224-33-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-25-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-41-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-39-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-37-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-35-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-47-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-45-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-31-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-29-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-27-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-43-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-21-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-20-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-48-0x000000007442E000-0x000000007442F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3224-49-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3224-51-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3224-23-0x0000000004F50000-0x0000000004F62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3224-19-0x0000000004F50000-0x0000000004F68000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3224-18-0x00000000049A0000-0x0000000004F44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3224-17-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3224-16-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3224-15-0x00000000023C0000-0x00000000023DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3224-14-0x000000007442E000-0x000000007442F000-memory.dmp

    Filesize

    4KB

    Download