Overview

overview

10

Static

static

3

8a752dc43e...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 14:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8a752dc43e43a06fe6b70d54d6efc676e2341624a3fea10d59496b2512e69c47.exe

  • Size

    1.5MB

  • MD5

    e6aa2a4dd80bacd7245122be9f1716c2

  • SHA1

    36c2b0852c84afbd6d1ac250b9b565151e9f6e7a

  • SHA256

    8a752dc43e43a06fe6b70d54d6efc676e2341624a3fea10d59496b2512e69c47

  • SHA512

    812cf73888be745a7cd7f5a3013a374c56d06171d7db68ba819e12bf447a8ee495c02fb23984fb6c0beb327a0cf02542f11ea99a5a6fabf7b551b1428f61a309

  • SSDEEP

    49152:j7dfVh6DCrTAQUfre00BrJHGut/rhU8Q:3RV8WrLKre0gH/jhU8

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a752dc43e43a06fe6b70d54d6efc676e2341624a3fea10d59496b2512e69c47.exe
    "C:\Users\Admin\AppData\Local\Temp\8a752dc43e43a06fe6b70d54d6efc676e2341624a3fea10d59496b2512e69c47.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5946676.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5946676.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9215542.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9215542.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3185907.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3185907.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4668
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5349501.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5349501.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4424
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8276274.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8276274.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4476
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1080
                7⤵
                • Program crash
                PID:4268
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1741150.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1741150.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4476 -ip 4476
    1⤵
      PID:2428

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5946676.exe
            Filesize

            1.4MB

            MD5

            34675e0740d16ae60b2bd1541cd8b6e6

            SHA1

            8db2b10c23066a89cdfab9bc8cba5e6c04a054c9

            SHA256

            57fc3a6b71a3cf2291950429b2aadfae1c2b6e826784a7562653e5f59f8440ec

            SHA512

            bda63ed7070a887c6587ba6124073ed50eb42772a7f1910ee9519f68c55da5a224d5f554001fee37f917e5f8835a4d0588c292a445bc3644d9b6b348704e3cd3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9215542.exe
            Filesize

            915KB

            MD5

            1c754bd5d2a2762d74a1b6f3d5497626

            SHA1

            69a8e327e3d357ae53383446a8178a32d76c60ac

            SHA256

            c6b7533038f63cdf4beac40648a6396ae1f6fbe3511235030e1e0d523ea7cf2f

            SHA512

            c2264dc01bee62dcd1555852aa32981132bf12918f40116965d78dd856daf0d1743b64e98faaf609d9c246c6f4260594d6e593d57b53d5ed72ef4587d2a8b98b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3185907.exe
            Filesize

            711KB

            MD5

            cf82b4929d8037aa89b1056fd3f1fe91

            SHA1

            1d78b88813d833b5778c9c73a346e8f9614ad497

            SHA256

            4c31f1f6911ae1cf932478d9ecc3783603a0a9e475de2be48cab91ee58038529

            SHA512

            dbd246dfe6d59a8bc652ca7560189e10508ee0f172b4279fb9612fc07a1943101ba44165207bf38791c95b532f258c701097098146d3d5bd6fa484121a48ccbb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5349501.exe
            Filesize

            416KB

            MD5

            0c55fce769ed9cab0197ccb1e60042f3

            SHA1

            764be7c1b94909f1ae95dfe9549ed918b84fc26c

            SHA256

            575901438f8b32c4dba176c8d1d2978a74515cca09d1421d37d5b30f71b94545

            SHA512

            3831fd6c10b81afdc58ac3bac3b635235c6916d6da3453a6aabf616609b00978133b9e2232ee04bce2b98f1696772d43c364c5ce1df76c8c910021f763a4d977

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8276274.exe
            Filesize

            360KB

            MD5

            04072c1b1231c5dea0be45ce2a3485cb

            SHA1

            cb1d22c148ab8ea15fdafa9cc073b0da5feb7202

            SHA256

            3990e5e2ba5e62328ea57f13fb5067f330d20b5e331af2c6b0140118241f1a0e

            SHA512

            af8104f8260b71d7ef15e6972b8ca6f7e35ac7174614b47496aac55f708c768b01d3e7992061b3069760147cc3d8418f8ebec47749aab8a662f90507184c3f22

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1741150.exe
            Filesize

            168KB

            MD5

            7b6b1bd82e0be5cf8add126ac9f7e0d1

            SHA1

            2f0716bfe728ee8ea0355c4dcbb26b623353b4a5

            SHA256

            64760db4612df11a5874498b75b475e9de796928abf6a03c5300ec1085bdccb7

            SHA512

            7d8e9e2c861eb2e69d3939886d33059ae3215ad63c25e1ffdc102468e705db5a852159ccc579aa6c188c8cdaa1816e46acd74d2e253f034773870e132e83fb0d

            Download Submit

          • memory/516-78-0x0000000004D70000-0x0000000004DAC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/516-76-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/516-77-0x0000000004D10000-0x0000000004D22000-memory.dmp

            Filesize

            72KB

            Download

          • memory/516-75-0x0000000005290000-0x00000000058A8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/516-74-0x0000000000A90000-0x0000000000A96000-memory.dmp

            Filesize

            24KB

            Download

          • memory/516-73-0x0000000000250000-0x0000000000280000-memory.dmp

            Filesize

            192KB

            Download

          • memory/516-79-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4476-52-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-40-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-54-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-58-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-50-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-48-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-46-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-44-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-39-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-56-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-67-0x0000000000400000-0x00000000006F4000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4476-69-0x0000000000400000-0x00000000006F4000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4476-60-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-62-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-65-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-66-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-42-0x0000000002530000-0x0000000002542000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4476-38-0x0000000002530000-0x0000000002548000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4476-37-0x0000000004DD0000-0x0000000005374000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4476-36-0x0000000002500000-0x000000000251A000-memory.dmp

            Filesize

            104KB

            Download