Overview

overview

10

Static

static

3

d5fc66404d...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe

  • Size

    696KB

  • MD5

    d62de16d2f4fa3a8e9930da9ef0bf025

  • SHA1

    69f8afe82e08a4fe9fb54fca4707293629a875b6

  • SHA256

    d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90

  • SHA512

    5cb4eaa413c7b7e01129f786dd7e41b4735d65c673f5c7768869328c56ce5786c684ba3c954e5403d43830cf8f33a2556f0a4ff4fee6380dc17b7c405ca64e23

  • SSDEEP

    12288:Uy90mqH/u1c5v4mmG3LmXPq0CvAjmBjdFRYU48dHV1Zd6760uaOyyxJYiJ3+x:UyXqH/6cxkG3aXPqiijaUXLM760Pyxub

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe
    "C:\Users\Admin\AppData\Local\Temp\d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652850.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652850.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04753060.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04753060.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1084
          4⤵
          • Program crash
          PID:3836
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk083375.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk083375.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2720 -ip 2720
    1⤵
      PID:3732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652850.exe
      Filesize

      543KB

      MD5

      1852a138133837efab6d0fbffc7b3d57

      SHA1

      a83b9eb0ea88310e081fc15758b1853eda765efd

      SHA256

      00ec5e038b09b8a9b9f9473eb01c905fac4040b05c0fa2088ff554b47abdc8df

      SHA512

      90fea202fe5a19e4b5032b383ba0adc3d00b7fa0e233c121cfe4d14226fef4c0ffb979a9d8d22b8042b3a1069d0c76847463a645e3189551816445b22bd3daaa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04753060.exe
      Filesize

      263KB

      MD5

      0b26ecec37f9b8137528342a18380ace

      SHA1

      bf7b26e55c23153e84bbfe64cbe52534400d7b99

      SHA256

      f081931ffe7d921a4c575dc86826b0dde3deba6a79a2ea17f446a1c4b5090d9d

      SHA512

      fb4ee9f145d54055103198f3cda84965aa7fbcc38b5f08aa027bfc794bc21de945be852d239ce251f9bc72520d8e3712860ee505c9784c9a85fafbdba2f74e2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk083375.exe
      Filesize

      328KB

      MD5

      6ddc47760f1889b08c630f4d091d38f1

      SHA1

      f17c7e3ba402dac39f68052f9f19b951dc0ac1f0

      SHA256

      4670b324e40b23f3987e69bfa1764ec3ddfb39e91cd55e371ec040baa69a29d4

      SHA512

      774fc57157a025afdb1e06dd3f3eb45699be592d09ad21e392f8d3d2cfe5d27175cde1b3cec748a1dd19325e9fb0811fb9189eef82a9feb93ce93615fca0ac5e

      Download Submit

    • memory/2120-73-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-79-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-855-0x000000000A330000-0x000000000A342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2120-854-0x0000000009C70000-0x000000000A288000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2120-62-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-63-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-65-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-67-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-87-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-69-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2120-858-0x0000000004C20000-0x0000000004C6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2120-77-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-856-0x000000000A350000-0x000000000A45A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2120-81-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-83-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-85-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-89-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-91-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-93-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-95-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-75-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-71-0x0000000004B80000-0x0000000004BB5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2120-61-0x0000000004B80000-0x0000000004BBA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2120-60-0x00000000049C0000-0x00000000049FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2720-38-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-54-0x0000000000400000-0x0000000002B99000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/2720-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2720-51-0x0000000000400000-0x0000000002B99000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/2720-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2720-50-0x0000000002D00000-0x0000000002D2D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2720-49-0x0000000002D80000-0x0000000002E80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2720-22-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-24-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-21-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-26-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-28-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-30-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-32-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-34-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-36-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-40-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-42-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-46-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-48-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-44-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2720-20-0x0000000004BD0000-0x0000000004BE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2720-19-0x0000000007320000-0x00000000078C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2720-18-0x0000000004A10000-0x0000000004A2A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2720-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2720-16-0x0000000002D00000-0x0000000002D2D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2720-15-0x0000000002D80000-0x0000000002E80000-memory.dmp

      Filesize

      1024KB

      Download