Overview

overview

10

Static

static

3

747ce822c7...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    747ce822c71b5b4e2cb112ee2c9a40d6542511193e89552d34632ca97a4cf817.exe

  • Size

    1.0MB

  • MD5

    09933ae4d3b29451129578a2b89e1beb

  • SHA1

    101369508cd616c17915e222fd28135c5c66d480

  • SHA256

    747ce822c71b5b4e2cb112ee2c9a40d6542511193e89552d34632ca97a4cf817

  • SHA512

    6645bca8e84934be5de509e2751a796f1cb56f0eabd2098e8405256d8537bebca54e3590076a7437aeecb3303345ffcb5b6e158fce5fdcfe9649b136cd5c32a8

  • SSDEEP

    24576:cy57eiqTH3h7iQt89fsuj8Jy1zBaZKkjibW1UZGM/84RCG:L571qH8DVN88gIbWSZGyTR

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\747ce822c71b5b4e2cb112ee2c9a40d6542511193e89552d34632ca97a4cf817.exe
    "C:\Users\Admin\AppData\Local\Temp\747ce822c71b5b4e2cb112ee2c9a40d6542511193e89552d34632ca97a4cf817.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un384239.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un384239.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un239635.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un239635.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr348866.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr348866.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1508
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1064
            5⤵
            • Program crash
            PID:4240
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu264046.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu264046.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4656
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1508 -ip 1508
    1⤵
      PID:1924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un384239.exe
      Filesize

      749KB

      MD5

      65619a9a7dcd479f40600e4c1c6f9213

      SHA1

      c9530c9119f9369f22eb345b882f07c1064709da

      SHA256

      0f29bd73fab487eef7bfb07f8e324ed160974f2df24a2252b7c8a1096db4df1c

      SHA512

      1319f7347cb6f9adbda3ce3510f7d9215b3b5e6fbd984824dbf720a33f3fe761048aa33ffc3585f54a4cd90a15969c360f26816ef025c76f7af30d9a07e5d2bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un239635.exe
      Filesize

      595KB

      MD5

      6f7a21f4fa2b2b452620073629094880

      SHA1

      8f31783e8aa989533a438c51a59795584aacb05b

      SHA256

      c363006d65d0290288131e8bd12bdd9e7ce2b25a9d6596ac342fc37da44a6599

      SHA512

      39596b32d31aa620fada12a1dc081105cb4e809030554b7f51c4e78bce8d9d12c2cefef718d0d8632a2623cd1c0820f16b9314ffcad5085318b12f64ee3b9845

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr348866.exe
      Filesize

      389KB

      MD5

      4c10c67fb991dc35c529a43bf541cbcd

      SHA1

      5abc241f4135d341577ec31b5841f004baec9991

      SHA256

      5caa01f3199473691a34d3d737e01013849b6c19673538ddedb95e6ab9bf6a50

      SHA512

      f97ad12f9ef9114715ae2721690ae9decf3a8526f91b67a8fa0e0c1a2b224b2f384eb9694e3652949be563b863ca6c55a7805f986bfc08b17a6f15e53fa5f2fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu264046.exe
      Filesize

      472KB

      MD5

      dbca3f92e1e449f376c9c4204c748518

      SHA1

      809fab2b27a687a1de19de1a4a7d7693c9e96e35

      SHA256

      136be7920ff23ddbd7d4e6444d0f7839bd64bc20879171fedc8022e0fa9f93d6

      SHA512

      fa6e51310d83952cf0ba53509e1808d5022270ccb5ce1e78d3b0be29693820395f33d3843701e284fdb287370e77e5ee22ee6901f79ba3a01df3ed7e016d8d39

      Download Submit

    • memory/1508-54-0x0000000000400000-0x0000000000806000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1508-24-0x0000000004FF0000-0x0000000005594000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1508-25-0x0000000002880000-0x0000000002898000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1508-31-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-53-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-51-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-49-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-47-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-45-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-43-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-42-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-39-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-37-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-35-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-33-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-29-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-27-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-26-0x0000000002880000-0x0000000002892000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1508-55-0x0000000000B10000-0x0000000000C10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1508-23-0x0000000002770000-0x000000000278A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1508-22-0x0000000000B10000-0x0000000000C10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1508-57-0x0000000000400000-0x0000000000806000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4656-77-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-83-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-75-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-65-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-64-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-67-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-97-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-95-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-93-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-91-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-89-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-87-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-85-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-859-0x0000000005060000-0x000000000509C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4656-81-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-79-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-73-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-71-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-69-0x0000000002A00000-0x0000000002A35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4656-63-0x0000000002A00000-0x0000000002A3A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4656-856-0x0000000007A10000-0x0000000008028000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4656-857-0x0000000005030000-0x0000000005042000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4656-858-0x0000000008030000-0x000000000813A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4656-62-0x00000000025C0000-0x00000000025FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4656-860-0x0000000008150000-0x000000000819C000-memory.dmp

      Filesize

      304KB

      Download