Overview

overview

10

Static

static

3

e0d3e064c8...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0d3e064c8f4b04099122fd0a9ffc28faa0f14e3dddb34218ca23b91ed6822ad.exe

  • Size

    1.5MB

  • MD5

    d40a3aafb18fe80c8c29d06b9d545266

  • SHA1

    1b162746968fb0bed46afc1fb7afa47804a40168

  • SHA256

    e0d3e064c8f4b04099122fd0a9ffc28faa0f14e3dddb34218ca23b91ed6822ad

  • SHA512

    789e4d6ee222e9edcf824ba6a73f26d057ff14cc1b04048971f30832578d5401355ffb3691afc2cd5bcf2f73360228d43cc64bb3829cc15efe82b74a4e00a54a

  • SSDEEP

    49152:pRgaj4785Ys6ejUjCiXP0hAWc9MWQ33DglShin:kBBsVYjjX9Mj3zth

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0d3e064c8f4b04099122fd0a9ffc28faa0f14e3dddb34218ca23b91ed6822ad.exe
    "C:\Users\Admin\AppData\Local\Temp\e0d3e064c8f4b04099122fd0a9ffc28faa0f14e3dddb34218ca23b91ed6822ad.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7611525.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7611525.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4543044.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4543044.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5970735.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5970735.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:408
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4346655.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4346655.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4140
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7760042.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7760042.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2792
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1084
                7⤵
                • Program crash
                PID:4496
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4215231.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4215231.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4848
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2792 -ip 2792
    1⤵
      PID:744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7611525.exe
      Filesize

      1.4MB

      MD5

      b1633ef37e5ea5bd180b67a02a809f3b

      SHA1

      deecfaa5761145c97bcba609a9d4a0ec93fe4d17

      SHA256

      2aa044f99bf15012dca05f880b9f19db57c8385c17e6a4f109066877da34af64

      SHA512

      6f98234603ce46d4a46c75c4df37e06af536f460c5df8b30f957dff490857e0a0b79cdd803b19ed8d917f2677cafdcedabbed56b89df73f565b48314451edb58

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4543044.exe
      Filesize

      911KB

      MD5

      17abaad802d8b43c57ccddc75e6ee3a6

      SHA1

      9cf3043c8268b81bfb35406fae5119ac84ab3e22

      SHA256

      8abd246677ec293d092b80448c271c81c2dc695d7adb4f053d0e994ed4fee7a0

      SHA512

      4687483ffc52b808ccc5f1efc023f46ea5735433c55756ba6d8bd046a990f30c5c3de80d949b71841d4aa1cb8484091975cceaf6d144786b8fc5b330c372f4bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5970735.exe
      Filesize

      706KB

      MD5

      f78e2b2bc6ad1162524d3060c2f94de6

      SHA1

      d4864d8b6acfd9f1facff72e9f16042d104cbf79

      SHA256

      1023d6992ddd373d1007e1af2f146c5cf62e039fec40762e3c54f37ff61d535d

      SHA512

      c5e12c8ff202564d599924e87a3d0cb47c5d8d8df50cd4dc28019d1549a2e6b74a76a36bf5fbaee892e6bd983237413b4ba0adcc8ffc1ac90ca7f25c6f9ba50f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4346655.exe
      Filesize

      415KB

      MD5

      8b5843cb645b46fe990408b63fd91ec7

      SHA1

      13b551bd77d2f8cd3d30e9c07d98b6d9bbbd598a

      SHA256

      4b74cf022730871334f06ede09ef0b6e302477fc076fecdb92747c45cc176be7

      SHA512

      a828d201f7cf2bb307927e7c1de120b1b0448e10fa4e5a5fafa34a69b0608d805d82aa13ab3ad91fa65386568bf7eefd7b129c7f30af1bd6de3efdacfe0608b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7760042.exe
      Filesize

      360KB

      MD5

      6d6c071838693f3993af4d5c43a3350e

      SHA1

      0fca2b360c2446731ef6d1d1fe948d5c944268f6

      SHA256

      20650e210bdfa40bf9f3e6b1c07b35a7e2b6cd040622d2be7be6018cb40f6f98

      SHA512

      78023bb791c26c76f20eab97b0d1ecc2164a4b678fc7f0d8525388fa8dfcabb12c676322a509fdcbe41647cc3027fa3a384431a17406f62f1c4b5c0701825e42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4215231.exe
      Filesize

      168KB

      MD5

      b677bc96c90185272bf35347ccbcc23e

      SHA1

      15f97e777dafe1109f882f2d91f91281f63b2e86

      SHA256

      40a35fb56eb52a5ae23a04a516fefc06cdc063be63bf2ce76b6ace5e42b2fe6a

      SHA512

      c46327888323d9ff8b84d8f1b5032f0a2e801634b4be2de57c468cf213a194ddfd9257a6a749c3670f511dee0efa1b0e5294c99576eaebe40628826adba9b615

      Download Submit

    • memory/2792-51-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-40-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-56-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-66-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-64-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-62-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-60-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-58-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-54-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-52-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-37-0x0000000004EA0000-0x0000000005444000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2792-46-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-45-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-38-0x0000000002830000-0x0000000002848000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2792-39-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-48-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-42-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2792-67-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2792-69-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2792-36-0x00000000027A0000-0x00000000027BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4848-73-0x0000000000140000-0x0000000000170000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4848-74-0x00000000008F0000-0x00000000008F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4848-75-0x0000000005150000-0x0000000005768000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4848-76-0x0000000004C40000-0x0000000004D4A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4848-77-0x00000000049C0000-0x00000000049D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4848-78-0x0000000004B30000-0x0000000004B6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4848-79-0x0000000004B70000-0x0000000004BBC000-memory.dmp

      Filesize

      304KB

      Download