Overview

overview

10

Static

static

3

6fcfe8a711...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 00:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fcfe8a711d8ae316030a468e42d40b626f6d0098a6c1434f1a5ec54656422f0.exe

  • Size

    689KB

  • MD5

    99644346537b51cc44f434d0b2b5e8a9

  • SHA1

    b5414f655ad35131ac5b2b7f268e4fb72c75e725

  • SHA256

    6fcfe8a711d8ae316030a468e42d40b626f6d0098a6c1434f1a5ec54656422f0

  • SHA512

    dda61eb22b59ddeda2a35942227e575836c6f137bc7e314afe3ef311eecd9ec65487bb25ce7a4c39d42b281d1216087d23f62a35973917b9e2e551f56e746de0

  • SSDEEP

    12288:3y90q2bqpNg8JMxmNiLGidibxHExQBgzZIJz5SDhpEu+sK0brLxrEx6O/TV2Lyaa:3yn2bv8JMQNiLL+xHEzzZ+58KR0b3xrU

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fcfe8a711d8ae316030a468e42d40b626f6d0098a6c1434f1a5ec54656422f0.exe
    "C:\Users\Admin\AppData\Local\Temp\6fcfe8a711d8ae316030a468e42d40b626f6d0098a6c1434f1a5ec54656422f0.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un140024.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un140024.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99074141.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99074141.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1080
          4⤵
          • Program crash
          PID:1080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk381252.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk381252.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1732 -ip 1732
    1⤵
      PID:2164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un140024.exe
      Filesize

      535KB

      MD5

      7465789687525ffff5d73cb9d462c841

      SHA1

      bc06a4e370a2fcd11d63366628dd6f38c7ebe72b

      SHA256

      88a5aa94c63eeda92e54388042f40b20896545cd75eb3f94d4326881c9fdcaf7

      SHA512

      b76a63148c8eaafe7eaebdceaaf40d112e8cffcabedab35084a541485f15146bf47ab7b26067b02307188aabe6964160c3601a7ed7e221770762dbcedf0af5b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99074141.exe
      Filesize

      259KB

      MD5

      e6ea9f69459faf4676ff135702f57a22

      SHA1

      e44b0b13107eba3ccffef2c59cfdf27d0012da05

      SHA256

      45fee3ad24f5c1af1aa7502814f2fd3b7ee1c7b1ce29f2f4273b2e2bc44ae1c6

      SHA512

      306dbd1ba20f7464b79e110c2af9a8beedba4f11fafac74ddec8c10e4769ba73d6810ed3bbafcf6b2ede201bb92833298ddc34983d882653922e2db5a429fc42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk381252.exe
      Filesize

      341KB

      MD5

      5eb379bce8374d7363a48b203716bb65

      SHA1

      d3691b526d4c8f4622df4a47e74074ce53cbd95c

      SHA256

      ef5775ed7e9f558b63f9f7bd37b97ad459d0e6ae8da3f152049b1a33609699b8

      SHA512

      42bd4e23b92a7753c52f2e558f6853d4817239861ebf48ec3f84eef66c8486b7c681f9a509a9188c86ec3bdd77612d8475c69b1c168b581b7f985d95a45c50f1

      Download Submit

    • memory/884-66-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-80-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-856-0x0000000007BF0000-0x0000000007C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/884-855-0x0000000007540000-0x0000000007B58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/884-64-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-68-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-70-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-72-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-74-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-76-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-858-0x0000000007D30000-0x0000000007D6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/884-859-0x0000000002560000-0x00000000025AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/884-78-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-857-0x0000000007C10000-0x0000000007D1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/884-82-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-86-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-89-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-90-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-92-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-94-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-96-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-84-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-63-0x0000000005040000-0x0000000005075000-memory.dmp

      Filesize

      212KB

      Download

    • memory/884-62-0x0000000005040000-0x000000000507A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/884-61-0x00000000024E0000-0x000000000251C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1732-41-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1732-55-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1732-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1732-51-0x0000000000510000-0x000000000053D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1732-50-0x0000000000580000-0x0000000000680000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1732-22-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-23-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-25-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-27-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-29-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-31-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-33-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-35-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-37-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-39-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-43-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-45-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-47-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-49-0x0000000002560000-0x0000000002573000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1732-21-0x0000000002560000-0x0000000002578000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1732-20-0x0000000004BA0000-0x0000000005144000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1732-19-0x0000000002210000-0x000000000222A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-18-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1732-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1732-15-0x0000000000580000-0x0000000000680000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1732-16-0x0000000000510000-0x000000000053D000-memory.dmp

      Filesize

      180KB

      Download