Overview

overview

10

Static

static

3

60789b8e53...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60789b8e53b339aa0c38a30d9d01f09a22e55f0a6b0381a8810683ef2cca36b9.exe

  • Size

    1.5MB

  • MD5

    8bd3e45e5d756925df1cff21f98b458f

  • SHA1

    7c01d8e7c80c88db90fa7064dd84aa2d9ce969a7

  • SHA256

    60789b8e53b339aa0c38a30d9d01f09a22e55f0a6b0381a8810683ef2cca36b9

  • SHA512

    e4083fc6884b56befb90096f41bbaa04b8b308db82ecc84261b0ef4433f84b9cd80a54904c53fb589361b248908c3db68cf6afe73405ee6e70434a7f087f7040

  • SSDEEP

    49152:85vxHijNe9nIa0oQSgOQWDKskO+Dyomf9BQHiAEcbr:WvxCjEIa0QQmO7wBaHEcb

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60789b8e53b339aa0c38a30d9d01f09a22e55f0a6b0381a8810683ef2cca36b9.exe
    "C:\Users\Admin\AppData\Local\Temp\60789b8e53b339aa0c38a30d9d01f09a22e55f0a6b0381a8810683ef2cca36b9.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4563278.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4563278.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4150712.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4150712.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4457369.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4457369.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7614674.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7614674.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5076
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2667425.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2667425.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5040
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1028
                7⤵
                • Program crash
                PID:2716
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6861109.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6861109.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2836
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5040 -ip 5040
    1⤵
      PID:4984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4563278.exe
      Filesize

      1.4MB

      MD5

      6616f4aa58af65f4da7d2efedf0df329

      SHA1

      e43cd2f0c45cd85268bcf693aa3dc5d5c1b356ee

      SHA256

      95e8471394951496914a70ad9da076ccda558e521711b08cece73e93646f4a1f

      SHA512

      25f073e7f226697f4c8fc6834118c1010c72a731b3adfac24d0572c28b1bada7ff234979b00ce728843604ba1d208b6f96b795416ae2c1fc3824fd171d4124d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4150712.exe
      Filesize

      914KB

      MD5

      ff122de8d16d4647b348c83d18b3fc3f

      SHA1

      fadeb739f2a11803ccfea745721ebb586f684d6a

      SHA256

      432b5f32c78d7291f68b260b5ac735d27ac13b809126932365d37b4709dfde30

      SHA512

      4e23f84b53f69e76c1de729727333026a2fb02877f11d9632595df2c5a81e80cc037716db3b9b795f10389e2e179665525e7be3fc25525fce3a027e7feafd7f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4457369.exe
      Filesize

      710KB

      MD5

      a4ac8c42788cadbcbdcd52850d7f3565

      SHA1

      d80be2dda0017abef73e28a99f47845802f50a40

      SHA256

      212f1db4d658ef121bd94ed0770d2b59eb6a5b1ad7b2fbc10d7324e450f18a0c

      SHA512

      76789cbd5c1e717d360f4f91f59bfaabcffc1c4a6b23ea67f1dc3504dfc97bb3b32d38a4f144198e2ec710e87ba58706d1f6aad1b1d9f431bf65f73496d63319

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7614674.exe
      Filesize

      418KB

      MD5

      d81cf273f4239f7653b6b6d7e6b8ca96

      SHA1

      fbcaec4b7b85627dc1b5ab3930346eea618b6989

      SHA256

      02a4616b31b4bf2bccafd1232a6a6ac59198d6c4f445a2e8655a044417d82111

      SHA512

      328aaf70655dc4194227447badee0f9ecc946046786293b6d8cd581c61b8ff1ffb237cd528b3923e084fad13036520b25f08786d40a2b70ae945913d5f48a1cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2667425.exe
      Filesize

      361KB

      MD5

      9c27e3ff7d4ded70db2764c632ce3182

      SHA1

      730f15c692e13daea8273f7baf641ed41dc7baab

      SHA256

      03b68e43345cacc394eb8112707d7d34fd9fb235d4099d5c5b6903cc67122dc7

      SHA512

      4f7554c78b801b7e1d0dc9616e53c9040e1173d4dd8f745bc00c8c8f3b6153d9f51c2e41db9ea062d96817beeb76568182d00bfe61cf661d6fde9ba410d1ffea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6861109.exe
      Filesize

      136KB

      MD5

      8da76b2435dac94e4bfd7bced4fe276e

      SHA1

      7787cfd666476ca3bddbe9c0c79b8a7fd04225b3

      SHA256

      0daab5c8b229a335a5379adffb2668a1687da0e1d0d37d84dc994d308ebfc7f9

      SHA512

      d95da55e11a5cb1a8107c6811f6612d953d2a668867266ee95f508561bb8f2888ddf0766361f33189caf603d585ea8aff380f5089a907eeea851ac87db39ef39

      Download Submit

    • memory/2836-78-0x00000000029B0000-0x00000000029FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2836-77-0x00000000076D0000-0x000000000770C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2836-76-0x00000000077A0000-0x00000000078AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2836-75-0x0000000007670000-0x0000000007682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2836-74-0x0000000007C20000-0x0000000008238000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2836-73-0x0000000000910000-0x0000000000938000-memory.dmp

      Filesize

      160KB

      Download

    • memory/5040-56-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-44-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-54-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-52-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-50-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-48-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-42-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-40-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-46-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-58-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-39-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-67-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/5040-60-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-69-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/5040-62-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-64-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-66-0x0000000002950000-0x0000000002962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5040-38-0x0000000002950000-0x0000000002968000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5040-37-0x0000000004D50000-0x00000000052F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5040-36-0x00000000024A0000-0x00000000024BA000-memory.dmp

      Filesize

      104KB

      Download