Overview

overview

10

Static

static

3

b3d5ab5640...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe

  • Size

    1.5MB

  • MD5

    ecf993ec2c1e0431c3d363929730177e

  • SHA1

    5f6166e3a6f58dbfe8c612445474658e96fdf6e2

  • SHA256

    b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8

  • SHA512

    7a0c8b4e7c1cb01c59defa6dfc98797683b277519bd9151edbdbbea381ba38e7e528121c8dce439f5e3daaf4eb634fb0a13810ff4086e27f8409f3bba793ebac

  • SSDEEP

    24576:Ty/DHL3xeY3I9Tl+KMZwFR3555q/H7O1Z5xLSM3VVchAWaiXCBLAHAnhuB:mzL3gYY9oTexYq1Z5l1VVtACK

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe
    "C:\Users\Admin\AppData\Local\Temp\b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3842466.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3842466.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6372058.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6372058.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9748104.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9748104.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1908
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5927231.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5927231.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1064045.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1064045.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1092
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1064
                7⤵
                • Program crash
                PID:116
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9994316.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9994316.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2424
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1092 -ip 1092
    1⤵
      PID:4492

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3842466.exe
      Filesize

      1.4MB

      MD5

      fd2e8e81e4e70b562c3d703439f21b6c

      SHA1

      e708f7c28f710e7cffa2704cdf1d1ae0c7182723

      SHA256

      e31f64178480ba5c94cc232415be93f3b9e37d4d971e3961d7a9a5e3e6e10473

      SHA512

      128b6c85592deb139e82df54a8eb48925d10a8ed62342b7b504909d10f24a399fccf7a088797ba06cc93833621952cb197e18918db015d94adc6c2928843e618

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6372058.exe
      Filesize

      912KB

      MD5

      3654476e5db895dce8034ab802e4c425

      SHA1

      f35a60d168b8c8e0240f9118c40f1e896ce5be48

      SHA256

      603ac481405ca2617afbc90f80329b27066d37a6f0e6d210d29f6bf113c603b4

      SHA512

      15c7d37188b0badfee96fb6223271580c5466b10468c86442fbfdbc54f9f1602d1ab43bf38ca8331c894b1dc064b08da57966166249afaae7943ecb5f5094b80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9748104.exe
      Filesize

      708KB

      MD5

      f7e631a15b093677e2b7b04a142eecff

      SHA1

      670612d844e5c9a7eff8318373bc8d3118d6a457

      SHA256

      39839819d0d8344d00f01268c335c2ee62317524b1452b9f94cd7f859d141c33

      SHA512

      73b5a02ea50a40b546a2268032979449b7baf25d94c62ce4aa7aaef4d5013581dc0da839ec86da52dea027c454c6f5d4c1e2b35852de20742dd9409b4a04fe8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5927231.exe
      Filesize

      415KB

      MD5

      57d3d9105ecff00b29dd119826169da2

      SHA1

      24076af1edec9c25277eb5ddcf2c65fdccc1b83a

      SHA256

      140690c679725069b81d27b2d0f217a46268e921f7a445503c81ca94dd580220

      SHA512

      fc1403e3761ecb6afc527cae02cb9688c45b56fe4ac3849053de33a962c6e1105bb9c8bdeb106f9b68ce644e5740802a0078b67264181cee001d5c8346f5f9b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1064045.exe
      Filesize

      361KB

      MD5

      7317134b8a770bf2a727b51587afc618

      SHA1

      8ca0ebc01c94fe497c9f5f3e406595e8cac7e63a

      SHA256

      1034deb35f434f51408bbd661abb3c76f2d491a8b6a18585596702ecab089b9c

      SHA512

      aa2be26f0738c2096f8c3dd47c1695db201a02aa1f6c5acbd42582cc31c77b54ae3d4000a39af7249c7fa0ed069f299cb591c992ea5975851f29599329e32e19

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9994316.exe
      Filesize

      168KB

      MD5

      b2d58eb21b05418540b82d5e3b580521

      SHA1

      893bf1dfc6f06187cf393cc47e02193f12490788

      SHA256

      f0bd24c18697c8c184e399444bfbfebd4202e793a01ebfa803be36938a56f955

      SHA512

      8e3aed1685a57c54d889344c88683d807b17c1427aa0acdcd08ee71b87730aa4ba01fc987a13f49752a1e4576b279ea96e1fc7b4995b26808e0d56fa4a575cdc

      Download Submit

    • memory/1092-62-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-42-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-37-0x0000000004CD0000-0x0000000005274000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1092-66-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-64-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-60-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-58-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-56-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-54-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-53-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-50-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-46-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-38-0x0000000004C90000-0x0000000004CA8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1092-40-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-39-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1092-67-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1092-36-0x00000000027C0000-0x00000000027DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1092-69-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2424-73-0x00000000005C0000-0x00000000005F0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2424-74-0x0000000002740000-0x0000000002746000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2424-75-0x000000000AAD0000-0x000000000B0E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2424-76-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2424-77-0x000000000A4B0000-0x000000000A4C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2424-78-0x000000000A4D0000-0x000000000A50C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2424-79-0x00000000026A0000-0x00000000026EC000-memory.dmp

      Filesize

      304KB

      Download