Overview

overview

10

Static

static

3

cbfa787c31...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbfa787c31b8d42036795004edee27cff700e83e0de372da035028b41972c55f.exe

  • Size

    566KB

  • MD5

    9b48866310cc8c5f7626c9a62c66e5fb

  • SHA1

    af124df136edfb9e5468916bb6cc9435560f6c01

  • SHA256

    cbfa787c31b8d42036795004edee27cff700e83e0de372da035028b41972c55f

  • SHA512

    8c3d47b75537a3820d2fa7d6a0b6c40862aaadff3df13cedfd1081bd624cadb77ca8c49db261e54cb3e1cf3f50fe1bfc6c07a8439fbb78ae50ec2745045568d3

  • SSDEEP

    12288:Jy90MAbEd0qL0Me53v0m6PnQ5sHD6xXssu9:JyAbEd0Ie5MfnQqHD6xXsZ

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbfa787c31b8d42036795004edee27cff700e83e0de372da035028b41972c55f.exe
    "C:\Users\Admin\AppData\Local\Temp\cbfa787c31b8d42036795004edee27cff700e83e0de372da035028b41972c55f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGR3348.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGR3348.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it399213.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it399213.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp004868.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp004868.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGR3348.exe
    Filesize

    412KB

    MD5

    2e2611412d6e741139905271995291f9

    SHA1

    0fe5147aa77297509bb45da0201c5ea7530ffeb5

    SHA256

    eec3428d5f1c489402ab8915d938b4ea25c501b60f45b7e262d281ec4c744dbd

    SHA512

    f7d76a2ff8ac2c5812c87640b1d9da0c0df81af9559f74abeabf556995c0de20b9cb4a4b5c499b32b46b0e7cb740a5be55c2afff8e3df7d44036586fa6631d52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it399213.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp004868.exe
    Filesize

    368KB

    MD5

    ce9a397c045ec1e24e554b6ce0db4515

    SHA1

    62843ddbb13ff72ea916e07ed5be595c2bd67968

    SHA256

    585d05127f1fb6d166d749d9c6ef2864e29e0455af718eaf2c60705a0e671116

    SHA512

    b4b1bbf9cd76b6aad8fa36cdfaba754c00aa2aeed40570d6bf46c748ab04a553447015e3699b2b6d27da406edb75800822fcbd14de28fd0449e88dc917119f25

    Download Submit

  • memory/4112-74-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-48-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-25-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-22-0x0000000007110000-0x000000000714C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4112-23-0x00000000072C0000-0x0000000007864000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4112-24-0x00000000071A0000-0x00000000071DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4112-30-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-36-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-88-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-86-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-84-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-82-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-819-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4112-820-0x000000000A490000-0x000000000A4CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4112-821-0x0000000006C40000-0x0000000006C8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4112-818-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4112-817-0x0000000009CF0000-0x000000000A308000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4112-78-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-76-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-26-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-68-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-28-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-71-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-66-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-62-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-60-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-58-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-56-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-54-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-52-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-50-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-72-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-46-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-42-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-40-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-38-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-34-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-32-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-80-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-64-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4112-44-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4244-16-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4244-14-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4244-15-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

    Filesize

    40KB

    Download