Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:44

General

  • Target

    25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe

  • Size

    376KB

  • MD5

    f4632d0554b52c10926b0a47e6677fc2

  • SHA1

    24492a0bc5def56cb7ea620e6db4941eef32e3ed

  • SHA256

    25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1

  • SHA512

    765b9353d5119f4fcb06e3d02e62bcb9ebb1d7d6e09b0f6ca9a226c01ccd3629f830a9f6e1475ff987fad36e4213b14f5c8ce524ffd750c1a8e23715989da08c

  • SSDEEP

    6144:KSy+bnr+Gp0yN90QESAdtTgtiG6opOIOKfv04EcXM0Php+FE8yfQhqWAqWacIGK0:iMr+y908ArUtr7OKUmzhp+YYhqWARacL

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe
    "C:\Users\Admin\AppData\Local\Temp\25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632558.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632558.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8141651.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8141651.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1522924.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1522924.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4480
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632558.exe

    Filesize

    204KB

    MD5

    09b443cfc7943915e739ec0e7224b9dc

    SHA1

    afaeb63b9f1685d1df9332a09dfa591399e7ac63

    SHA256

    baa51ce5aa70db9da87c3665e2b0774d7e7179c66fb0335d0ba1289231e3bff5

    SHA512

    7886db84506ea521395dd0829a611e3a19a9c11b88c73bd567b18dfc7ee527a13b4be815085cd5b09b062d88327bf3a1e98afad8c6f9f65e91739d87e0c7f984

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8141651.exe

    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1522924.exe

    Filesize

    136KB

    MD5

    30d0ee0947be55272def37f502e40d83

    SHA1

    67dec087565870ddbba362f33bc909491d56f0d7

    SHA256

    876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

    SHA512

    0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

  • memory/4380-15-0x00000000007F0000-0x00000000007FA000-memory.dmp

    Filesize

    40KB

  • memory/4380-14-0x00007FF91E223000-0x00007FF91E225000-memory.dmp

    Filesize

    8KB

  • memory/4380-16-0x00007FF91E223000-0x00007FF91E225000-memory.dmp

    Filesize

    8KB

  • memory/4480-21-0x0000000000F30000-0x0000000000F58000-memory.dmp

    Filesize

    160KB

  • memory/4480-22-0x0000000008220000-0x0000000008838000-memory.dmp

    Filesize

    6.1MB

  • memory/4480-23-0x0000000007C90000-0x0000000007CA2000-memory.dmp

    Filesize

    72KB

  • memory/4480-24-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

    Filesize

    1.0MB

  • memory/4480-25-0x0000000007CF0000-0x0000000007D2C000-memory.dmp

    Filesize

    240KB

  • memory/4480-26-0x0000000005270000-0x00000000052BC000-memory.dmp

    Filesize

    304KB