Overview

overview

10

Static

static

3

c31aee2854...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c31aee2854129ab49066eb567b13f68f3088d9e930c81285ca490a2905c66ab0.exe

  • Size

    479KB

  • MD5

    b3f890cfef98402584a109c25e6feb2c

  • SHA1

    89ffbf3403612b542fc3eab9daea6dc46e442d80

  • SHA256

    c31aee2854129ab49066eb567b13f68f3088d9e930c81285ca490a2905c66ab0

  • SHA512

    8c40d7702ca3f69e80a52813cd65c9ca09986299cf256e1cdee332f8f5f7eede7c5088ff002b8107cd39661419349414a36feff73026b87a2696529cfebeb29b

  • SSDEEP

    12288:lMrCy90X4OATRVrU5c1u31tT0/zYbGtID+QCx+HbC:bySmoXnTNz+n+Hm

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c31aee2854129ab49066eb567b13f68f3088d9e930c81285ca490a2905c66ab0.exe
    "C:\Users\Admin\AppData\Local\Temp\c31aee2854129ab49066eb567b13f68f3088d9e930c81285ca490a2905c66ab0.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4587637.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4587637.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9044539.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9044539.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4419345.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4419345.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4587637.exe
    Filesize

    307KB

    MD5

    80c0a4af7c05f2567b6810c65c0d70dd

    SHA1

    65e8da25e0ea2f7031ac58ae00f518ec4157806c

    SHA256

    ccbead29a1e461d4984227024948529d26f7b1571138d40d2eda39d48b14f631

    SHA512

    fc5b47fdc35a5c9d2fdf59d6bd7b8a6d2c828afdc60b438b262685375ede760a07756a0e6b01c0a9cf8597bfdcf7bca5105b4c3b993df0ba03fef09077310f63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9044539.exe
    Filesize

    175KB

    MD5

    232eade416b4996f22dfae09204bbf17

    SHA1

    4a9ea2daff6ac758b788028602dc9e91b61bcc42

    SHA256

    f9f6bace38b0664d809fc6e04bcb7d6771d8cb6a0a687d2778fb7e79579227cb

    SHA512

    ce578d1a99af608d01a6fc4886a2fe50bbedc922ef72f191f358e81d4d310849aeefcadb5f86d501624644e2bc28bf2281894fe5db4b4703eca5f0c260adce32

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4419345.exe
    Filesize

    136KB

    MD5

    19cadb7418df673617ea4db6774ce644

    SHA1

    dc453470fe7ea5b0f0f634e544df1114bd067714

    SHA256

    5d9db38d284fde4f32c7b4ce42faa068f6f09b9d6ebbbe7f3e3db4374a4bb18b

    SHA512

    b054fbb69d0aefb3d8a7a6368efb284a6f7a1c8f930cf8782e4282f6b2a71c5f45de62f7d1894b913bec95d374e63c02b99992f9a8e65d9b92e3d996322d3b01

    Download Submit

  • memory/1068-35-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-29-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-17-0x0000000004970000-0x0000000004F14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1068-19-0x0000000002410000-0x0000000002428000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1068-18-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1068-27-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-47-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-48-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1068-45-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-43-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-41-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-39-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-37-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-15-0x00000000022B0000-0x00000000022CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1068-16-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1068-33-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-21-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-23-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-31-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-20-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-25-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1068-49-0x000000007493E000-0x000000007493F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1068-50-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1068-52-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1068-14-0x000000007493E000-0x000000007493F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3968-56-0x0000000000050000-0x0000000000078000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3968-57-0x0000000007310000-0x0000000007928000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3968-58-0x0000000006DB0000-0x0000000006DC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3968-59-0x0000000006EE0000-0x0000000006FEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3968-60-0x0000000006E40000-0x0000000006E7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3968-61-0x0000000004300000-0x000000000434C000-memory.dmp

    Filesize

    304KB

    Download