Overview

overview

10

Static

static

3

8170521074...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8170521074694e020239101d14e119c3ca3e8d7cf5fc33019282deef9915613d.exe

  • Size

    693KB

  • MD5

    821a7f0a99a396b8dea17cc244ee2d87

  • SHA1

    c5106591bd4a927c05873fd8fc4088cc2904f0a4

  • SHA256

    8170521074694e020239101d14e119c3ca3e8d7cf5fc33019282deef9915613d

  • SHA512

    8a33f957e2951708d6f4b4f771c6ee8c771cc34e769db3f955fe9428dfa29ad0f0ac90229fcda46ed52b54c4f793eafecee4972fe56a0db50fe4d7c6d6f5c65c

  • SSDEEP

    12288:Uy903W1BYNw6yaXJiCY8CHdTaNfsvCYYlXmEz7wlR+uqVvpM:UyEW1BJ6MZ8xd5ms7l3M

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8170521074694e020239101d14e119c3ca3e8d7cf5fc33019282deef9915613d.exe
    "C:\Users\Admin\AppData\Local\Temp\8170521074694e020239101d14e119c3ca3e8d7cf5fc33019282deef9915613d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un883390.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un883390.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08103844.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08103844.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1088
          4⤵
          • Program crash
          PID:1824
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk037207.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk037207.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3692 -ip 3692
    1⤵
      PID:1540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un883390.exe
      Filesize

      540KB

      MD5

      c1db11f41e0fae92b79a89ece1eff49b

      SHA1

      7fd3a0ccb11b500f3f989af1784d51452309d798

      SHA256

      a2b4ef6253379a2848ef401ebd3aa1de0fc670dba2f4cc2ce60d0c9e34c4a14b

      SHA512

      ebc4ee179f389368b29473191241da2458f26ae74b0b18a1400518a42188e8b9251f98d1a446f5f468b2eeb4b9a7e6149fd9f52c32fcea9cd25c7c30a5f477e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08103844.exe
      Filesize

      258KB

      MD5

      351a30b64369aeee3c0675a603bc0c8b

      SHA1

      6504aab307c24ae8bfc34019556101cbc448e150

      SHA256

      7fbdb7e9310a9d4f462feb1e632af17945a7336d8abda51f97b735ad75a7f999

      SHA512

      a5234412d49bbb7872039026afa1de4553c8207978d9e44bfab3114c2c1574ff5ce55741b93e13a42a24af80face7d94829b58bb3339a8e56c48ef5242629118

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk037207.exe
      Filesize

      340KB

      MD5

      51e955a7d5172abbdcad4b1af6e676bf

      SHA1

      3ac7cce482b462995220ae8732535eee4d8904c5

      SHA256

      6e7cf32adf651a09b960ca50cb4b0542158edda0f5470697a63cdb2594f87187

      SHA512

      00b563172c5e2aaf99e32d4f4a866b55c5349c77e105aa609bb66d6c243ccdcf4076b5ec0ae06c530c1264ebe9109a4fe9eecc5bb41b5ae68f53740ebff4b9de

      Download Submit

    • memory/3692-15-0x0000000002D50000-0x0000000002E50000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3692-16-0x0000000002CC0000-0x0000000002CED000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3692-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3692-18-0x00000000048A0000-0x00000000048BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3692-19-0x0000000007180000-0x0000000007724000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3692-20-0x0000000007130000-0x0000000007148000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3692-34-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-48-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-46-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-44-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-42-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-40-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-38-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-36-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-32-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-30-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-28-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-26-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-24-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-22-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-21-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3692-49-0x0000000002D50000-0x0000000002E50000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3692-51-0x0000000002CC0000-0x0000000002CED000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3692-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/3692-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3692-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3692-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/5064-60-0x0000000004A20000-0x0000000004A5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5064-61-0x0000000004C00000-0x0000000004C3A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/5064-67-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-75-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-95-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-93-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-91-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-87-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-85-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-83-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-82-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-80-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-77-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-73-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-71-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-69-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-89-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-65-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-63-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-62-0x0000000004C00000-0x0000000004C35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5064-854-0x0000000009D50000-0x000000000A368000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5064-855-0x00000000072D0000-0x00000000072E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5064-856-0x000000000A370000-0x000000000A47A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5064-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5064-858-0x0000000006D70000-0x0000000006DBC000-memory.dmp

      Filesize

      304KB

      Download