Overview

overview

10

Static

static

3

a41b73125a...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a41b73125af3e316b1b17ca9c983855e0c7a3e476fc4e4bf968a66766c421fd5.exe

  • Size

    651KB

  • MD5

    3a75b7a66af3740841285801bb74d5e0

  • SHA1

    30f77ab2dae158835e305ecf6ec1c6dddc72e3a6

  • SHA256

    a41b73125af3e316b1b17ca9c983855e0c7a3e476fc4e4bf968a66766c421fd5

  • SHA512

    4261d14bf28bf0db5712eec5fc0f284fff029d88a5623b8551ca438d0dece98f7b67d52324ae55ea6a536b5fca29884229382c46f0ec9d52fac20c0b4e7fd52e

  • SSDEEP

    12288:iy90THvAKQAXFP0z7+jPmGTnKNDNsqLvzLOkDrohS4:iyWLQAVP86jPYNhL3xr4

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a41b73125af3e316b1b17ca9c983855e0c7a3e476fc4e4bf968a66766c421fd5.exe
    "C:\Users\Admin\AppData\Local\Temp\a41b73125af3e316b1b17ca9c983855e0c7a3e476fc4e4bf968a66766c421fd5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st463240.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st463240.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36428114.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36428114.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp063782.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp063782.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st463240.exe
    Filesize

    497KB

    MD5

    4374af2b537386531f5bba398310a919

    SHA1

    0cd4261223a16783b64b9e6f455727aec0bc9186

    SHA256

    d1c4024220fc06430dc6daead6f936222957b61cb49c47663ac0d311d3b737a6

    SHA512

    e6741289ea5bd08c395707fafb9723fbbbdd836fef1102ef55db87cd1e2de022283adbe6f715b3ff09bb48175295101c4f3eda38155662b7f6aa04b905eba9df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36428114.exe
    Filesize

    175KB

    MD5

    a165b5f6b0a4bdf808b71de57bf9347d

    SHA1

    39a7b301e819e386c162a47e046fa384bb5ab437

    SHA256

    68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

    SHA512

    3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp063782.exe
    Filesize

    341KB

    MD5

    e0a1723a90963f46c437345c198aa509

    SHA1

    a717e506ddcc5d079647ac38341ce6d397a9593c

    SHA256

    3ec30610e0c9c560ea5d7c3ffb8b34bd56b9cd1c70a742c0096f92a16ac97d86

    SHA512

    27c6fa10c0333a94f22c213a15d09b1443368705716b7de7a4157d4c44a4eda33cdca7be5102a57cc8b30bc94cc244e7d0eb37c1323cf69adcd13fd1331a7bab

    Download Submit

  • memory/3596-51-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3596-16-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3596-17-0x0000000004B50000-0x00000000050F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3596-18-0x0000000002540000-0x0000000002558000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3596-30-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-46-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-44-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-42-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-40-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-38-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-36-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-34-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-32-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-24-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-22-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-20-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-19-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-28-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-26-0x0000000002540000-0x0000000002553000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3596-47-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3596-48-0x00000000740DE000-0x00000000740DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3596-49-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3596-15-0x00000000021A0000-0x00000000021BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3596-14-0x00000000740DE000-0x00000000740DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3660-61-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-56-0x00000000022A0000-0x00000000022DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3660-63-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-91-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-89-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-87-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-83-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-81-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-79-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-77-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-73-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-71-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-69-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-67-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-65-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-93-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-85-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-75-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-57-0x0000000002700000-0x000000000273A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3660-59-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-58-0x0000000002700000-0x0000000002735000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3660-850-0x0000000007570000-0x0000000007B88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3660-851-0x0000000007BF0000-0x0000000007C02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3660-852-0x0000000007C10000-0x0000000007D1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3660-853-0x0000000007D30000-0x0000000007D6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3660-854-0x0000000007DB0000-0x0000000007DFC000-memory.dmp

    Filesize

    304KB

    Download