Overview

overview

10

Static

static

3

a164baa4ed...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a164baa4ed040fd897cfa3258dccfb6a350d95f07760eb1237e9a75bfd7d227c.exe

  • Size

    691KB

  • MD5

    fe3cbc00a4587c42e9758269bf0e0422

  • SHA1

    7640d8435158e3ec99266163d79fe9729d6eb2da

  • SHA256

    a164baa4ed040fd897cfa3258dccfb6a350d95f07760eb1237e9a75bfd7d227c

  • SHA512

    716cb4a970eb7e31d458ef5e8688abc00ff6b370e114b1d0a53596c3aab03b758c2235fd64b8d092d9a0cab4e1769f825d3afc4d45d7dce21136786d4c41ef9d

  • SSDEEP

    12288:Cy90eOIOMliXYuGOG4izdMkfRkZd2XGtniNnmA1AQa12HF7RD8:CydMMlG3G4KdMGRbNLe14Rg

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a164baa4ed040fd897cfa3258dccfb6a350d95f07760eb1237e9a75bfd7d227c.exe
    "C:\Users\Admin\AppData\Local\Temp\a164baa4ed040fd897cfa3258dccfb6a350d95f07760eb1237e9a75bfd7d227c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un333610.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un333610.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\26101701.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\26101701.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1080
          4⤵
          • Program crash
          PID:392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk011981.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk011981.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 468 -ip 468
    1⤵
      PID:792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un333610.exe
      Filesize

      536KB

      MD5

      a927debbdc95b18219c0a8f8e01e89b9

      SHA1

      2a64a8e797a64d36091fc0585d279e761df0247a

      SHA256

      e4370a1d76867b702a961cd55dd95abc65de6863344aecba854f3478663d277c

      SHA512

      2c5207d59b6d4f8b43c3d64f0a8b9c97b2e2255e131c59515257fd420432b7c8a43849229460b06ba2f512357d6fcec1db046e313423c87f6d34110145cd43e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\26101701.exe
      Filesize

      258KB

      MD5

      64ae2b6f52c2e5bab74634af65db9aad

      SHA1

      22e1bf8b4db3402c7cac6dc37e6e0566ef2b15b2

      SHA256

      5c25f3cee73b931a60427e4339beab39faa98b4329376aa89273dceb19c7b013

      SHA512

      b95a6b6416cb90cfaa6e6b885a487be05fe6e786f84ebf1c44f771b25b0e9996e38578508090e3da23c16e185fffc9da8f2fe8f3ab3642b67c9a1c9976519912

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk011981.exe
      Filesize

      341KB

      MD5

      216b10720dc41c8ef13818fea515509c

      SHA1

      77c8abae205e319bf7cb227669f674a20d7e3595

      SHA256

      6a0a8f7c45a7dc237acfad1535074627a2f7323db65297c190a210a7b70178a3

      SHA512

      4d03d89b0880c09bd2ef295c4f3786d0a69c15d5772807b4ea01144aadb47ed9a8902170e394c7fad6eff1698a5a5ac64bf0feb05121db9cd25acc48a1b2a13e

      Download Submit

    • memory/468-15-0x0000000000650000-0x0000000000750000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/468-16-0x00000000005D0000-0x00000000005FD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/468-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/468-18-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/468-19-0x0000000002260000-0x000000000227A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/468-20-0x0000000004CD0000-0x0000000005274000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/468-21-0x0000000002600000-0x0000000002618000-memory.dmp

      Filesize

      96KB

      Download

    • memory/468-23-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-49-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-47-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-45-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-43-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-41-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-39-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-37-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-36-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-33-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-31-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-29-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-27-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-25-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-22-0x0000000002600000-0x0000000002613000-memory.dmp

      Filesize

      76KB

      Download

    • memory/468-50-0x0000000000650000-0x0000000000750000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/468-51-0x00000000005D0000-0x00000000005FD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/468-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/468-55-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/468-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4980-61-0x00000000049F0000-0x0000000004A2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4980-62-0x0000000004A70000-0x0000000004AAA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4980-88-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-86-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-96-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-94-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-92-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-90-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-84-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-82-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-81-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-78-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-76-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-74-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-72-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-70-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-68-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-66-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-64-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-63-0x0000000004A70000-0x0000000004AA5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4980-855-0x0000000007550000-0x0000000007B68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4980-856-0x0000000007BF0000-0x0000000007C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4980-857-0x0000000007C10000-0x0000000007D1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4980-858-0x0000000007D30000-0x0000000007D6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4980-859-0x0000000002390000-0x00000000023DC000-memory.dmp

      Filesize

      304KB

      Download