Overview

overview

10

Static

static

3

b846c352bf...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b846c352bfa28cc9ed2a43e9c414329618c35a7a37a1d83886eba0b72cb6544e.exe

  • Size

    566KB

  • MD5

    3dd8a7ba2e673eb3688b0df931c8df73

  • SHA1

    05c40227606da454d0866a54059d0e25832d719f

  • SHA256

    b846c352bfa28cc9ed2a43e9c414329618c35a7a37a1d83886eba0b72cb6544e

  • SHA512

    155142a8d24d2b432f5e228648aa84fde503699550e046a7c66844c825f6403fbdc3447891926b4209d4925b1c6fb595f7c84af5bdd75d9e0cde09feec14fc99

  • SSDEEP

    12288:Dy90DndBEKygGp11xTDYJjJyd+PqDF9mi6ZlxywiYtLDMKS8z5vt4c:Dyo/GR1kns0q59mimlwu/r9t4c

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b846c352bfa28cc9ed2a43e9c414329618c35a7a37a1d83886eba0b72cb6544e.exe
    "C:\Users\Admin\AppData\Local\Temp\b846c352bfa28cc9ed2a43e9c414329618c35a7a37a1d83886eba0b72cb6544e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicN6368.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicN6368.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it960235.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it960235.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp289650.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp289650.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicN6368.exe
    Filesize

    412KB

    MD5

    ae351e5ed25a6ef9adf8894d11c9588e

    SHA1

    b40369115827dbd532b34e33155363f5d43f7942

    SHA256

    bbeb19b2ad769f787eb05f72f474d2e6c689befedd20398d5ed6293129131829

    SHA512

    640fbbfc4827c66c962a5847f0cc389911c3014e7bda4959261b94154aea766144c63f5089a595aa1a7649feb42368fc4007fb18ca28130311ea647214abdd09

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it960235.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp289650.exe
    Filesize

    368KB

    MD5

    87af506940105e8a9c1b9194644fee16

    SHA1

    c9ce71bad9b4362629c661619adb549de060c0b6

    SHA256

    d1c7b58da9def485e2ca734cd3930c0b763840cfee77bdff596730cbf92599ec

    SHA512

    bacae8ba1d3a33c804714b01b5d990921813fbc9da644c3837e3fd156d23226b42299ef625a199c1c93fc48936e65645b828a4518760c3deff24d4d913fca421

    Download Submit

  • memory/1600-14-0x00007FFA46CF3000-0x00007FFA46CF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1600-15-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1600-16-0x00007FFA46CF3000-0x00007FFA46CF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2696-64-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-52-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-24-0x0000000007760000-0x000000000779A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2696-32-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-38-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-36-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-34-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-88-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-86-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-84-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-82-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-78-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-76-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-72-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-68-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-66-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-22-0x0000000007110000-0x000000000714C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2696-62-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-60-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-58-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-54-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-23-0x0000000007150000-0x00000000076F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2696-51-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-46-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-44-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-42-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-40-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-80-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-74-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-70-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-56-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-48-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-30-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-28-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-26-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-25-0x0000000007760000-0x0000000007795000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2696-817-0x0000000009C90000-0x000000000A2A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2696-818-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2696-819-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2696-820-0x000000000A490000-0x000000000A4CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2696-821-0x0000000006C20000-0x0000000006C6C000-memory.dmp

    Filesize

    304KB

    Download