Overview

overview

10

Static

static

3

1b1f4e058b...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b1f4e058b54db42aa44752c6d35162ffeed28d6395852cea5d818286d042e0d.exe

  • Size

    623KB

  • MD5

    50b4038bcff315ead7110357af847bed

  • SHA1

    39718716cb11fe705b508d00f919f1b844da1624

  • SHA256

    1b1f4e058b54db42aa44752c6d35162ffeed28d6395852cea5d818286d042e0d

  • SHA512

    de08badf708d77958e5fa9dc128273fa77f6bf3e610dcf9f1f5ce0092ed5d471f57f397a94acabd47c3c816e094a8dd945c9f06b858e9645ee678a32896cd4b1

  • SSDEEP

    12288:7y90k06ckSdJL3Pg8jLYJGH+K/H2BrfzWM22/isUhS2K3e1z:7yztWJLcJxK/W9fzL2VG0z

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b1f4e058b54db42aa44752c6d35162ffeed28d6395852cea5d818286d042e0d.exe
    "C:\Users\Admin\AppData\Local\Temp\1b1f4e058b54db42aa44752c6d35162ffeed28d6395852cea5d818286d042e0d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihM3885.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihM3885.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it004455.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it004455.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr141949.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr141949.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihM3885.exe
    Filesize

    468KB

    MD5

    febb9517fde48c0cfc6e7a2e3fe70c8b

    SHA1

    f92e9278773f24d14b69a934ba24343dd8e3868e

    SHA256

    895aeca2af4eaabcb2672f47969c12bf235719a11eb58a9c91e5de05025b6f11

    SHA512

    0e58959df1497fc12dfca3ce847c1d738a8c52f960b9e63bfd1eaa690e7dc89dcdd545f91a1b784b4e6a90e4b67270a81e60546c05b429629da9f10414ed9576

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it004455.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr141949.exe
    Filesize

    488KB

    MD5

    bdef158ffecf80d323d199d9666038c5

    SHA1

    ed182852979da0278bd63248c7d1f3644d130376

    SHA256

    c948771fe4d5d9b190933c14b9909b7d31d436104050540620ec5b564fc0c079

    SHA512

    bdac033e7ef7768da59a3fbec15a4f1f47ffedc739328588721aa568f5d5f6e3c689cbc634b540554c17272b916908e351e0010a87cedd68c4050d45304a1edd

    Download Submit

  • memory/1820-14-0x00007FFCC5973000-0x00007FFCC5975000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1820-15-0x0000000000120000-0x000000000012A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1820-16-0x00007FFCC5973000-0x00007FFCC5975000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1952-60-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-48-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-24-0x0000000002990000-0x00000000029CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1952-78-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-52-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-86-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-82-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-80-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-76-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-74-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-72-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-70-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-68-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-66-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-64-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-62-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-22-0x00000000025D0000-0x000000000260C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1952-58-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-56-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-54-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-50-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-23-0x0000000004FD0000-0x0000000005574000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1952-44-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-42-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-40-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-88-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-84-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-46-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-38-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-36-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-34-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-32-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-30-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-28-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-26-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-25-0x0000000002990000-0x00000000029C5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1952-817-0x0000000007900000-0x0000000007F18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1952-818-0x0000000007F90000-0x0000000007FA2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1952-819-0x0000000007FB0000-0x00000000080BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1952-820-0x00000000080D0000-0x000000000810C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1952-821-0x00000000028E0000-0x000000000292C000-memory.dmp

    Filesize

    304KB

    Download