Overview

overview

10

Static

static

3

f9c5caf18d...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9c5caf18d86cc1696e3c308236b0ee4e13ed19343517d41c0d78142229fc450.exe

  • Size

    747KB

  • MD5

    bb1d4bb66b7028ad95651ee357549eaa

  • SHA1

    465325f97382d984c201665f2d758b85197e0b14

  • SHA256

    f9c5caf18d86cc1696e3c308236b0ee4e13ed19343517d41c0d78142229fc450

  • SHA512

    dca547b44a54d03e28e32f8a705ecec184a5917dbbcf61930ea0083f5d5b006de944c0cde9aa977da329b84c4a12ce28e9726c6057476a5f4a4739aef74c8d25

  • SSDEEP

    12288:Sy9073buZ2r1RwXtDcKbzptURVg6weeEzwMjzJlz4JNPtRvFpdSlqATQ:SyOr1acyzvhZe/HHaNPDvFPSkATQ

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9c5caf18d86cc1696e3c308236b0ee4e13ed19343517d41c0d78142229fc450.exe
    "C:\Users\Admin\AppData\Local\Temp\f9c5caf18d86cc1696e3c308236b0ee4e13ed19343517d41c0d78142229fc450.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699977.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699977.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47145965.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47145965.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2376
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1084
          4⤵
          • Program crash
          PID:1624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk585147.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk585147.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1556
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2376 -ip 2376
    1⤵
      PID:3120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699977.exe
      Filesize

      592KB

      MD5

      87ce6a9dcaad1d35b94805f605ba02c1

      SHA1

      e1fe5ba4eeeeba4d885ca370e8bb1f2efa29abda

      SHA256

      39e260ac6ee5ed3c4e765a8370e572e42382e46bc14b8210ebcdcf8a029e4d12

      SHA512

      defd07923a774fb536e1912f6325dbdc6af8e40c2ccb81ce681bb4c5763dca115b162e45310a4e64e4d1f351d4c79ea96a4aee644a0ad2f1207613a9fe02a2bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47145965.exe
      Filesize

      377KB

      MD5

      c5c4c5ef5b2e1c27cf9d4cce559cb043

      SHA1

      adb549abf8c71cd95d330a51aefba9b703294f86

      SHA256

      96d6a35d35f47dede3541229a565646815e7bdc803700d630616431f5e09dbad

      SHA512

      c66a9932228cda8454fbc6c7ebb59d7efe2d8d83bc135f59738fc01d81406b40454da8292d565beca290c023615c264e9749e0a9a01fce174066613a263dba50

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk585147.exe
      Filesize

      459KB

      MD5

      90621d082f53ec2a0f554a4e38c3584d

      SHA1

      31fb7e1002363e42663638cfbd36c2f06a8555f1

      SHA256

      945533f6e56171cbfaf590793a036e4d3c4ea81ca4abee3e50263d6f3112280c

      SHA512

      2d39a2d24839200aecfa95be74f06ce44f103d2194af5bb075655606a05acc0ece00f359c1168e1aaac3c6dede60f7894ff95294efff68e9d5c19dcce5dbefb6

      Download Submit

    • memory/1556-76-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-82-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-856-0x0000000005040000-0x0000000005052000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1556-855-0x00000000079F0000-0x0000000008008000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1556-63-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-64-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-66-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-68-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-70-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-74-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-858-0x0000000005070000-0x00000000050AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1556-859-0x0000000004900000-0x000000000494C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1556-80-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-857-0x0000000008010000-0x000000000811A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1556-84-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-87-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-88-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-90-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-92-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-94-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-97-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-78-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-72-0x0000000002750000-0x0000000002785000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1556-62-0x0000000002750000-0x000000000278A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1556-61-0x0000000002630000-0x000000000266C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2376-41-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-55-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2376-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2376-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2376-51-0x00000000008F0000-0x000000000091D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2376-50-0x0000000000940000-0x0000000000A40000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2376-22-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-24-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-26-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-27-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-29-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-31-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-34-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-35-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-37-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-39-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-43-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-46-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-47-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-49-0x00000000029F0000-0x0000000002A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2376-21-0x00000000029F0000-0x0000000002A08000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2376-20-0x0000000004F80000-0x0000000005524000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2376-19-0x0000000002500000-0x000000000251A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2376-18-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2376-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2376-16-0x00000000008F0000-0x000000000091D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2376-15-0x0000000000940000-0x0000000000A40000-memory.dmp

      Filesize

      1024KB

      Download