Overview

overview

10

Static

static

3

5e2e7772e0...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e2e7772e09b99431a0d7eb7bd29cf5a8ef3a2adaa5c516369b8138d8bf5633f.exe

  • Size

    480KB

  • MD5

    546b06204fe2d4787f6dd9d09e821d86

  • SHA1

    fc26c671dad2d0dd1a905cef62b12debbfacc3e3

  • SHA256

    5e2e7772e09b99431a0d7eb7bd29cf5a8ef3a2adaa5c516369b8138d8bf5633f

  • SHA512

    6c2807c9df5868a0dc7b0ddc3488efb10de4728e7d85ed893e8c453a1355df8e6b7c74d492e49d47b2f8ef353c9a9337af377a587e4c7f8141c3d21719bcc009

  • SSDEEP

    12288:+MrBy90cw5m7cGx0YvHJN+vyUXW3v8SfzM:Py8mzx0mHJ4vxXOv8b

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e2e7772e09b99431a0d7eb7bd29cf5a8ef3a2adaa5c516369b8138d8bf5633f.exe
    "C:\Users\Admin\AppData\Local\Temp\5e2e7772e09b99431a0d7eb7bd29cf5a8ef3a2adaa5c516369b8138d8bf5633f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5269729.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5269729.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4282236.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4282236.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6605030.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6605030.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5269729.exe
    Filesize

    308KB

    MD5

    ad416a7ee946e5d6b478b63578ce0a58

    SHA1

    f38c433caf76a4b75c7c3241bb8a9c72dcd263c9

    SHA256

    22c21df84a279f21ddbfd50db215b4274e79f15807f1cfc162abc9b5d8bad362

    SHA512

    52e97125cdc1e0afbd0d558ee4ebf20ad4df416229850c22ad12014ef72a70bac2cedbd277c8bbdeffa931105996d248967078bfdf173c121b23ac9481ca5c42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4282236.exe
    Filesize

    175KB

    MD5

    27b270e8a632719384a0c25ef020f158

    SHA1

    b6b4269086e84e557e8a233936ce19a8a8dab8b5

    SHA256

    1b2b9b6631b1c56ef9f42379db15a90a8ed2d7923039921a493e598464ae4e6d

    SHA512

    050b5beed1a8085938b17f3e134dec787ded53e8c332408b5b3dbf5571764bc34c4ab725d9d09eed5dca9bed973d196444eb849c7af54bf220cfdc6847443124

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6605030.exe
    Filesize

    136KB

    MD5

    e3a506453dabc9dc71d94562fe5b8c71

    SHA1

    dba8e3994051476d70010b113c042e31c849c196

    SHA256

    aa5dec3954d44a5d913399d4cfb8c1f9a9a06c484e3c6b33e3c08f94d1ac2e51

    SHA512

    6b2b9e84e891d5a2e91b5c4711755a14365fd9b2710102089152d7d81231f1e51e216869c9aeda747238fca027143948ff78275d006df4b58eac5b425b5a81dd

    Download Submit

  • memory/1648-33-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-21-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-17-0x0000000004AF0000-0x0000000005094000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1648-18-0x0000000002510000-0x0000000002528000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1648-19-0x0000000073D50000-0x0000000074500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1648-39-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-47-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-48-0x0000000073D50000-0x0000000074500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1648-45-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-43-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-41-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-37-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-35-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-15-0x0000000000920000-0x000000000093A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1648-16-0x0000000073D50000-0x0000000074500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1648-31-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-29-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-20-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-27-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-25-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-23-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1648-49-0x0000000073D5E000-0x0000000073D5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1648-50-0x0000000073D50000-0x0000000074500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1648-52-0x0000000073D50000-0x0000000074500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1648-14-0x0000000073D5E000-0x0000000073D5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3564-56-0x0000000000180000-0x00000000001A8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3564-57-0x00000000074A0000-0x0000000007AB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3564-58-0x0000000006EE0000-0x0000000006EF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3564-59-0x0000000007010000-0x000000000711A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3564-60-0x0000000006F40000-0x0000000006F7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3564-61-0x00000000043F0000-0x000000000443C000-memory.dmp

    Filesize

    304KB

    Download