Overview

overview

10

Static

static

3

bed14ee7d0...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 10:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bed14ee7d04f53587860d7f6309f683d0f62fe9b3d5055c5d8af670f7f458822.exe

  • Size

    1.5MB

  • MD5

    e25393e886ded632f260449b651cca61

  • SHA1

    f4f50064aec9e58596956cd73a257b8035285208

  • SHA256

    bed14ee7d04f53587860d7f6309f683d0f62fe9b3d5055c5d8af670f7f458822

  • SHA512

    0890d014ec77a29f8f640f4e8cab41ad54618bd91570af1735aba2f074e495d03f0a7c3dd65604a06ee29bc80e8f45ac79d284da507d2812ea62b7c2dfc74221

  • SSDEEP

    24576:MyQbBSZV5KOjJECRQCMPzdeWfKe7wC8KuqsxAh/QRDbBIWBz/qMRrXXgfp:7uBmF2CKfGeElYsihIFbH7Uf

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bed14ee7d04f53587860d7f6309f683d0f62fe9b3d5055c5d8af670f7f458822.exe
    "C:\Users\Admin\AppData\Local\Temp\bed14ee7d04f53587860d7f6309f683d0f62fe9b3d5055c5d8af670f7f458822.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1633024.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1633024.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9578073.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9578073.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8008408.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8008408.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8100721.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8100721.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1996
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7853769.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7853769.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1552
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1100
                7⤵
                • Program crash
                PID:3336
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3704795.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3704795.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:456
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1552 -ip 1552
    1⤵
      PID:2224

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1633024.exe
            Filesize

            1.4MB

            MD5

            5abc601d2ee725088a4ae3a1e995e98b

            SHA1

            b7272b7999f0ddc2bfd1829fee56daa52289afc2

            SHA256

            7fa64de79cfab8657c6164b3de67b9c2b7b7c89dfdff6d9348a7ebf559d2858b

            SHA512

            c58e192ef8bf19814eb728b9b5cfb0a2ccaba79af9982c586f0a1a31062effa5ece3b46502e98ca055426fb12595655f38b5212ff051262e8abdb99e9c3f0684

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9578073.exe
            Filesize

            911KB

            MD5

            3e3139f4da2a234d7120e8ef8ad0475d

            SHA1

            2861f6a75d62aece510d48254d8eafe30501d82f

            SHA256

            68bb74038b839727f4587e603dccf47cc46ed1f9dba5b0e770db622bca7510f3

            SHA512

            9578d7df621dde644ae13171935be9e3e6c84566473a9d2844afe566a5633a545ce3a3ec246038e1d155edf505f3adf3cdc1e027d8e7212fdffb843b440ccd7d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8008408.exe
            Filesize

            707KB

            MD5

            905137e1d7093cad82b75f7e4baac46c

            SHA1

            4d38c726d1febc316180a128d912f01558dca5d4

            SHA256

            6f1f14f989584bf5294aaa4baa3408de0af42e1addd98ef0f113ef0080576751

            SHA512

            3495995b7c01302d7d927351901014fc7f709b2cd0b8a52cdb0a83508294a769ac4750b75724229f51269f7a1890cb492052954b3c24bc65512335bbc8747852

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8100721.exe
            Filesize

            416KB

            MD5

            effb6ff5af3f90e73b5921ec2a6cf227

            SHA1

            5530ba2a15693515a94d2f01dcb50261ac6819fa

            SHA256

            1d0ab7d58041ed4b4da2595a56c2c2499e74976144a53e62abf1a13ab7805ff6

            SHA512

            620be5632ef4647a1fe7d8c089cb1851d5632584195b1fdfaac67661c2fc82510fff69f64efd182dfcd980feb1628fa14327d5af2593fc071744e513c29dd90f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7853769.exe
            Filesize

            360KB

            MD5

            592b18a167252f7b7178c4ca0fbb4671

            SHA1

            2d2b8146e5d48e96df623e5fa548b607cd21c3ef

            SHA256

            d548bdff6c18a3db50508d32e068fa080a83281580da224601ca817efe493bd6

            SHA512

            2afcd652f7666303ee4cf188f4d76975dec6b6d65cdd4c8507fc9582e0939a492d5f33babb677f949020b5c9986129666ee7d76fee9928ea74046a71e710cdae

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3704795.exe
            Filesize

            168KB

            MD5

            3034658bd18551ca968af89c0a3983d3

            SHA1

            ed9890bd1556ec3d6208ac9265a55c8cff42ef0a

            SHA256

            73ce7b7c975962568ffd62dc66787caabb28ce01621de3bf5fa938f237c66f19

            SHA512

            49d7a154a55f215f5b5706603205e7189d414c9f9c23b4966bab15b69dead2044a6e7a8740b845e1a19d47ae9baddfcc01abc6cc88034bc8d158a8f58b4be77f

            Download Submit

          • memory/456-78-0x000000000AD60000-0x000000000AD9C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/456-77-0x000000000AD00000-0x000000000AD12000-memory.dmp

            Filesize

            72KB

            Download

          • memory/456-76-0x000000000ADD0000-0x000000000AEDA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/456-75-0x000000000B260000-0x000000000B878000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/456-74-0x0000000003110000-0x0000000003116000-memory.dmp

            Filesize

            24KB

            Download

          • memory/456-73-0x0000000000F60000-0x0000000000F90000-memory.dmp

            Filesize

            192KB

            Download

          • memory/456-79-0x0000000005150000-0x000000000519C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1552-52-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-40-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-55-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-58-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-50-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-46-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-42-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-56-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-67-0x0000000000400000-0x00000000006F4000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1552-69-0x0000000000400000-0x00000000006F4000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1552-60-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-62-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-64-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-66-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-39-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1552-38-0x0000000004C90000-0x0000000004CA8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1552-37-0x0000000004D10000-0x00000000052B4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1552-36-0x0000000002370000-0x000000000238A000-memory.dmp

            Filesize

            104KB

            Download