Overview

overview

10

Static

static

3

04bd3ba368...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04bd3ba368f32aeacfb1a6c4a56552d4ed23f882306ad8c5e9c39195e86e8ea4.exe

  • Size

    1.5MB

  • MD5

    a094181d67db566833f6cf33bddf1f76

  • SHA1

    cf3a8a9e12714ec95ab03996b3945fced7cdd7f1

  • SHA256

    04bd3ba368f32aeacfb1a6c4a56552d4ed23f882306ad8c5e9c39195e86e8ea4

  • SHA512

    c24613425cf3dea218641f717b425a784ff7a5001befdabf87a73bbe9d02216418502bc2622aea8642ba8f8c3f0c53004828018882eb2ab6e547b03c9cb87c91

  • SSDEEP

    24576:FyfV+9mwTMYcRZEHZuYeidzlSdVp4NhG0kpqiaB8HeWR1JhTuS9YbRtc5sRK10FX:gd4TMtIuYeid5kVpE1sNHeWRvhCLHcGb

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04bd3ba368f32aeacfb1a6c4a56552d4ed23f882306ad8c5e9c39195e86e8ea4.exe
    "C:\Users\Admin\AppData\Local\Temp\04bd3ba368f32aeacfb1a6c4a56552d4ed23f882306ad8c5e9c39195e86e8ea4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9862860.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9862860.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7627804.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7627804.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4637203.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4637203.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0255775.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0255775.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4344
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7846648.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7846648.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4044
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1084
                7⤵
                • Program crash
                PID:4988
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7410386.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7410386.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4044 -ip 4044
    1⤵
      PID:3828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9862860.exe
      Filesize

      1.3MB

      MD5

      9ed5355f86b51ca543bf6692dd61833d

      SHA1

      34db4a656b5875055b72f97f4ab6ffc8e0a3782a

      SHA256

      47ebe470c70de89e33b73e3e90f7eb9d12911eb40c23b46177eca0671ace039a

      SHA512

      9f045d04af931c8fa5062ce2571fc988112e2c56723228d087c62108c18dd84c65abca13ca43e41ff25bedcba7f51eb296a3aa8f54626399b3b470e62ed52c61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7627804.exe
      Filesize

      867KB

      MD5

      5848f4ebac728b66cde60ed5223db866

      SHA1

      c5fdd203ebc4653cf263663c2fdad382fd2dfdc0

      SHA256

      fd033801068454bc0c1e417867d81823d064ffdecada1631ee9090cdde03d12a

      SHA512

      6588c972a6d67c8bb95293d1ecc435c5867da4bf5248da1347587d1f4bb2b981a7d3b5d036276d8fac36654b46c212243f77f89bda7ccb5c35c72e2bd30e06ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4637203.exe
      Filesize

      664KB

      MD5

      a3fcf9d469482d5bc269143bec2717de

      SHA1

      3a530d24a62f8d21041e016a495893fbad24092c

      SHA256

      67979381ff4874b5e5c27335388992357e13e6e524f9e47603daa7c699d11c91

      SHA512

      07d98307111992ff7f88d7718f6edc328d915f94ee9965da6fa476ac92c088a8cd789c43f59e8f136256c1b172d27596e64d46233477981cc8f974f842e8c478

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0255775.exe
      Filesize

      394KB

      MD5

      441289e99a4f1056da77c39c084757c3

      SHA1

      c2df93909c5547ccab2e61922ba01764b81acf90

      SHA256

      529db7fcc5c092774b4118e31dda3077593d80bd901539a5726ed7d0d1bca3e3

      SHA512

      b3783cad7bb84908eaf9f54f4fe54d0c88c878d979bce3e8ead5c8eac36442e27734a136db69f887dc6a1a6d8b9adbc3f6c26d8e68e59e2276e0a1a2fb2a242e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7846648.exe
      Filesize

      315KB

      MD5

      ee4855dd71670656f4986e318fd7910f

      SHA1

      f745fd8ee62709f99ddc255fbab18ac1f4889216

      SHA256

      aba4a5ad6878ac0fa36cbcc397da8a3736177635c975aee2db3742b4fd7530b8

      SHA512

      c9295748de06fe631fb1f4cea314996dc31b969e50b78f876973490d25f6f03c33725d78a00c706e3ed88e5daea4b4a9a2b45dd77c0e43f568419ca908aa8f4e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7410386.exe
      Filesize

      168KB

      MD5

      9d5fafffde79a9e03f5e263ab49c37a6

      SHA1

      71a1557ec39814c8610e9d60d265f281d830fd2b

      SHA256

      46785451f64373c6a7e185d03d851d3a19d27c5f51b034c52ec5b94ca159f807

      SHA512

      857488bd0cd2cf309296da41bec327b7e105d7342b4423f019e577098873e912adac91fbc799ff33824c701a01d527086160261723fabe832e134fcdfc1804fa

      Download Submit

    • memory/4044-52-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-46-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-40-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-66-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-64-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-62-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-60-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-58-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-56-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-54-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-37-0x0000000004C10000-0x00000000051B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4044-50-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-48-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-38-0x0000000002730000-0x0000000002748000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4044-44-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-43-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-39-0x0000000002730000-0x0000000002742000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4044-67-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/4044-69-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/4044-36-0x0000000002190000-0x00000000021AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4436-73-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4436-74-0x0000000001470000-0x0000000001476000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4436-75-0x0000000005CB0000-0x00000000062C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4436-76-0x00000000057A0000-0x00000000058AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4436-77-0x0000000002F00000-0x0000000002F12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4436-78-0x00000000056D0000-0x000000000570C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4436-79-0x0000000005710000-0x000000000575C000-memory.dmp

      Filesize

      304KB

      Download