Overview

overview

10

Static

static

3

4bed836e4f...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bed836e4f5f59c86c158306b480272f52579e521ad189a60adfaf1d996cf34f.exe

  • Size

    1.5MB

  • MD5

    82c82b64cba63729b1fecf9eb2b695dd

  • SHA1

    667944ae5984746492aef7c53a3079c4f6f4c8ea

  • SHA256

    4bed836e4f5f59c86c158306b480272f52579e521ad189a60adfaf1d996cf34f

  • SHA512

    57de7a2d51b98f4265d8a2a3d0106158e46882b17ea0ba11238f72fe9eefae2de76ac06f4b2adeee7e8afeba4a133f894f7bc8182862bdd5933bff4c232c2341

  • SSDEEP

    24576:7y/cL5SW8Gq8S81eNVsd+q7FzTJFIXmM6TUDsS36ub2RERiqyqUb6icqBA7QpTGb:ugP8reyAQ56whquqRIP2RceAcA7

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bed836e4f5f59c86c158306b480272f52579e521ad189a60adfaf1d996cf34f.exe
    "C:\Users\Admin\AppData\Local\Temp\4bed836e4f5f59c86c158306b480272f52579e521ad189a60adfaf1d996cf34f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3351897.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3351897.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7157403.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7157403.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8252972.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8252972.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3100
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1375135.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1375135.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4200
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6807396.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6807396.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4204
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1084
                7⤵
                • Program crash
                PID:2816
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5158784.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5158784.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4900
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4204 -ip 4204
    1⤵
      PID:2792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3351897.exe
      Filesize

      1.3MB

      MD5

      93a7b7f7664c90515e1ecffcb1b4b959

      SHA1

      920a3bdd2a1899c4c18a23fd64915f0f07228f62

      SHA256

      cb06233599a414eefaef30f31e02bf348d45281dae1a7d05c4fb19884b0c7a81

      SHA512

      6fa2a431a3162f74ec3a46425d041ef322e4e6d33af75bbb13a43a6614dd2311bbcba7b9ab9c38e827b29585415b44e73ffc0835512086cb583e7911c75030c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7157403.exe
      Filesize

      867KB

      MD5

      711b4831f91e45016059ca2d45be94cd

      SHA1

      49ba24945c438b821c3cd8a6fac64ebe849d4954

      SHA256

      7377cc2803c59c65853300e81bfac483aa8b219989e26d99397eb7d1a0713aad

      SHA512

      1bb60afee21e73c2a1445995728e1da33ae6752433cfeb161255c6439011678f0260edad75ec659fe7e97a475cc2997ee7fb28f7f44a1a1a21fc0c6985e97c8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8252972.exe
      Filesize

      663KB

      MD5

      da1fd3bf167884476c63bb6a60e3bcf1

      SHA1

      56104b8feb122cfcb78d821abcba2e6d5603d60d

      SHA256

      d99ef51338bba67f8b6e57a689207aefee9c65b507268195ae051e594d49001e

      SHA512

      ce63e5a2e7f1fe2f9870daf3d94b2aa906dc7aadeec0ff6cbb6607f9b5589461f23beff57e51f43066f410f8567d0998ba0dc9e24aa3241c8e1801df26abf5ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1375135.exe
      Filesize

      394KB

      MD5

      7bf2c90875fa352677affab4386398a3

      SHA1

      cc1dee01cbd832581628ae349978d14fd5191e19

      SHA256

      7f65c1efe89ac8a464e51b7ffed8299d03c8cb1af2f70eb314690ec344a7040b

      SHA512

      19d207109ffb59e765a3a15cfc77fb893fac20d998d22beefd7fe54dae48d5e122d883d45a7f623b0a97f452f1143285e4527c8d953c685836446e74df5674c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6807396.exe
      Filesize

      315KB

      MD5

      267ce0b34cfacd8752123963023cdab6

      SHA1

      d682ca1b2d05648c6a8162871897baf62de27127

      SHA256

      03d0f4ea26ba6e798e49da789592ab15d4a63edc7045fd3622bda9563d918927

      SHA512

      26bc3fdee36502e5ab7c31510b6e38fc5fbfcc396a625ea31a8495b5a81bd12e5910a30263cd44bd744a6d06c83d7e941bc35c2b60463149ebc72d2c60112870

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5158784.exe
      Filesize

      168KB

      MD5

      03ce5009660934077643f281b0ec691a

      SHA1

      c62e2c5645a79a7a5d7398de14f0c83ffce38dbd

      SHA256

      c878dd4fcbed9382b6c31e7c0d4eaad577a5883080c9c6eead6eeaba4a466b5a

      SHA512

      00934525722ca1731276de89977604288a7989e6546d4684866f461217e0e3c66016309044093a583a09e6e1d31df401afc6056b0b82e7083e6a36704d388190

      Download Submit

    • memory/4204-46-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-39-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-60-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-66-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-64-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-62-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-56-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-54-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-52-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-48-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-37-0x0000000004C20000-0x00000000051C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4204-44-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-42-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-38-0x0000000004B60000-0x0000000004B78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4204-58-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-50-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-40-0x0000000004B60000-0x0000000004B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4204-67-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/4204-69-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/4204-36-0x0000000002630000-0x000000000264A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4900-73-0x00000000006E0000-0x0000000000710000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4900-74-0x0000000001020000-0x0000000001026000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4900-75-0x0000000005700000-0x0000000005D18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4900-76-0x00000000051F0000-0x00000000052FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4900-77-0x0000000004F60000-0x0000000004F72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4900-78-0x00000000050E0000-0x000000000511C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4900-79-0x0000000005120000-0x000000000516C000-memory.dmp

      Filesize

      304KB

      Download