Overview

overview

10

Static

static

3

d57656d24c...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d57656d24cf6000e3ce7fa4309e31d86c03c4af3d251593b4a8fc3fbe54fb0d5.exe

  • Size

    1.5MB

  • MD5

    35685d5d153b39fc65cff494682bbdde

  • SHA1

    3aec5d9a4ec981298bbcefa80633943c1c8f8760

  • SHA256

    d57656d24cf6000e3ce7fa4309e31d86c03c4af3d251593b4a8fc3fbe54fb0d5

  • SHA512

    66f5ea1e37d7fd415ee908e85bf7ff9ac5a9d9f86ea2ce3f288d52734ad0954edb88bb844476861dcedd735d07161fc69d823c07e81d77f82934ecbaa98c22d3

  • SSDEEP

    49152:uHETxasA6L3LSzOKOV4UUa4U5lW+1/u4Jkmi84hRu:e2xR3W0+aV50KzvkhR

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d57656d24cf6000e3ce7fa4309e31d86c03c4af3d251593b4a8fc3fbe54fb0d5.exe
    "C:\Users\Admin\AppData\Local\Temp\d57656d24cf6000e3ce7fa4309e31d86c03c4af3d251593b4a8fc3fbe54fb0d5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8817672.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8817672.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5030313.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5030313.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8943211.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8943211.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3540
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4536944.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4536944.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4728
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1830048.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1830048.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4136
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1084
                7⤵
                • Program crash
                PID:4240
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4252016.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4252016.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4444
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4136 -ip 4136
    1⤵
      PID:4632
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:3420

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8817672.exe
      Filesize

      1.4MB

      MD5

      7fb735e0f1ae53714879f7e4a2211ead

      SHA1

      78915092a314419b98ee8c90deac1d9ae482d9d4

      SHA256

      0faf241bdf392b05afcb69a903d46aea62b4639d4c37770601a09be23e9df430

      SHA512

      ca7d9b78b887376d277370ce6b1de15adf90afce2fbd2653ca51b935ded20f1571d2ecebd4620bab34eef94db187eb05dd1c2d3bf33f7e1fed4da245b3aab462

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5030313.exe
      Filesize

      910KB

      MD5

      b2ec215afa85bcdabedf2f9a1afc2f4a

      SHA1

      f9e665a229a65d3cf6cb409e76b63da49e3f3965

      SHA256

      749af1a4053ad3afc6064031bffe1d208d160edc651e91bb8c16be610d27bd85

      SHA512

      7651eb70f119d653a8841ba9bc8b68f3691e92c305e386564d8e899ae3df40acc0d484c6057c7ffbdd0940eb140d09e1528c3ba62f7a9128fd5a6596150bcb96

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8943211.exe
      Filesize

      706KB

      MD5

      60c7054413373cdb54b4051eda9c309b

      SHA1

      c2d98d0a52c9be72b6791a438a9336be90a36281

      SHA256

      137b2ff8dc2b1f4adb33ea50298245b544b7054241595d2135c1eae357f47fd3

      SHA512

      7b975f025a3ae40b7a9910abe40b43e95bb25f90216551dfadefe4ccdfd064fa761ecef4e7e4fd1ede43437cfa84c4e01e12058232a518d8624404f6cf12226a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4536944.exe
      Filesize

      415KB

      MD5

      b1476d90c0d4cce424754af1ffbc83b2

      SHA1

      a5e1188e76dbb4d47eacddd8d07c11ef63385934

      SHA256

      8a5fb5cf932499226bc40d3b190832f384a92b673b66af92ecd4f41693dfafc4

      SHA512

      a4ec8fdd3597de8a6a535ef791b73da07b01db79d41730469e94858eb56e97416811897dd553f9021a017ee3695cf9f3e378e9221772fcfff14ec4f6d845a01c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1830048.exe
      Filesize

      360KB

      MD5

      22426d172e02be714bca40a9eb10ceea

      SHA1

      51093628bcc779cc5e1886cd977128fbe3bc484b

      SHA256

      4dbdd150aeb3207313af58c7bd7265f7715bc22c191155f6601e89b0161c95c8

      SHA512

      800dfe02bb31c3031eadde3f310a597d229bf5d462bf1d15276180cfc6ed5e7208199198f7ee7637e0f169401281973e666da5f3317bcb9facdee2aeaab7832e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4252016.exe
      Filesize

      168KB

      MD5

      e5638b7685a66380dd386a89192c4fef

      SHA1

      202a4ea232cffefe627f0f207a4e040451348142

      SHA256

      67253993892739ddbf4c43098f9339537b540e68d439472b68c9c20ac204250b

      SHA512

      c7ba9c879ce4892220cf62927a54f9c6bc3366b5bf814100d785430ee995d94907110a825a4dfa182b6424d97051015659ff83bb31124cfa6ceab80ebc0d0a9b

      Download Submit

    • memory/4136-66-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-44-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-37-0x0000000004ED0000-0x0000000005474000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4136-64-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-62-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-60-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-58-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-56-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-54-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-52-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-50-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-48-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-46-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-38-0x0000000004DD0000-0x0000000004DE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4136-42-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-40-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-39-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4136-67-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4136-36-0x0000000004D60000-0x0000000004D7A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4136-69-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4444-73-0x0000000000F70000-0x0000000000FA0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4444-74-0x0000000003240000-0x0000000003246000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4444-75-0x000000000B450000-0x000000000BA68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4444-76-0x000000000AF40000-0x000000000B04A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4444-77-0x000000000AE50000-0x000000000AE62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4444-78-0x000000000AEB0000-0x000000000AEEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4444-79-0x0000000003120000-0x000000000316C000-memory.dmp

      Filesize

      304KB

      Download