Overview

overview

10

Static

static

3

a7b9f60211...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7b9f60211e48c673b47526cf92ce663923511d04efda37c6d3052ba5c0bc5e9.exe

  • Size

    560KB

  • MD5

    e936c07a5ddfbed093371e98bcc2a855

  • SHA1

    06a417a58e3936e27b691fffa6b5aa269812a0a7

  • SHA256

    a7b9f60211e48c673b47526cf92ce663923511d04efda37c6d3052ba5c0bc5e9

  • SHA512

    d099d737d8559c69c901572dcc4728118263e4fd830b423477a9307001223e70a51861b5f2fd7fcab48d56aba4de222ef0eba63fcf937dac6e0c105908fb3e8e

  • SSDEEP

    12288:Ay90njhBuM2vPssnk1TSO6k3d3z09SR9Dqdrlr:AyiX2vP3ET1N3z0GlmBr

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7b9f60211e48c673b47526cf92ce663923511d04efda37c6d3052ba5c0bc5e9.exe
    "C:\Users\Admin\AppData\Local\Temp\a7b9f60211e48c673b47526cf92ce663923511d04efda37c6d3052ba5c0bc5e9.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqV4923.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqV4923.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it530249.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it530249.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:464
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp377781.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp377781.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqV4923.exe
    Filesize

    406KB

    MD5

    27049e625b29b3c31467195111fb6f05

    SHA1

    973a8586dbb99486ee97759e8f1baf796783a72a

    SHA256

    0ea7963242dde06fe4cf8427e87bb8104524ae4e2b812ae60360f5b1726b5059

    SHA512

    c1fe9ba8aa8ff38fecff5b0a75e2c8bbfab6645a7900ea08409b0e8906c889eb0feab1f2558787e21bdb49f27324efbcfed48a8be230c4134e7fc219e4bfe462

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it530249.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp377781.exe
    Filesize

    352KB

    MD5

    2ca52d1551cded87b89c3d2ed41f673a

    SHA1

    4ab7d7ec76d759071748cda861a4fff4af092b5f

    SHA256

    e4f0d923580a3ef6091432ff07740b0510ba8a797dfc3efdeb92339c5f82f42c

    SHA512

    44331acba443f56e95256dc1239d1d650a0b22cbe8953f6a1e84209861d3e0c7d894c2cb03f6e03fe51dab8d6659a347c100cb5cb80a6dfafb8658bca398982c

    Download Submit

  • memory/464-14-0x00007FFD0AA63000-0x00007FFD0AA65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/464-15-0x00000000003F0000-0x00000000003FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/464-16-0x00007FFD0AA63000-0x00007FFD0AA65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2652-76-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-66-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-24-0x00000000071A0000-0x00000000071DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2652-26-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-46-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-82-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-88-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-86-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-84-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-80-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-78-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-820-0x000000000A490000-0x000000000A4CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2652-819-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2652-821-0x0000000006CB0000-0x0000000006CFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2652-818-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2652-817-0x0000000009D00000-0x000000000A318000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2652-22-0x0000000004AF0000-0x0000000004B2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2652-74-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-72-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-70-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-68-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-23-0x00000000072D0000-0x0000000007874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2652-64-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-62-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-60-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-58-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-56-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-54-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-52-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-50-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-48-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-44-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-42-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-40-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-38-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-36-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-34-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-32-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-30-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-28-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2652-25-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download