Overview

overview

10

Static

static

3

d7d72f6cb9...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7d72f6cb9e36f7a834e6371cfa1881182884d78b430d212f62dd3b053aa4c7d.exe

  • Size

    560KB

  • MD5

    960c32862d7fc8c4f6987432c0de3bb3

  • SHA1

    3671e7b4e69cf075404d13271a2f7c190cd77085

  • SHA256

    d7d72f6cb9e36f7a834e6371cfa1881182884d78b430d212f62dd3b053aa4c7d

  • SHA512

    dcfca06617fae9e05ceeab1514ccfd15413ef1344a42698ec8776ad3e535ac05fe16ca6d93ccb7372c3677ac02663592be4fdf9abdb8b3fddc383fb560589d0d

  • SSDEEP

    12288:6y90PvIkI5hzjLoPz5Uvqg4C/cephSc5FT41BJudVJtq5+g+KLH:6yWV4p4CjNOzng6LH

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7d72f6cb9e36f7a834e6371cfa1881182884d78b430d212f62dd3b053aa4c7d.exe
    "C:\Users\Admin\AppData\Local\Temp\d7d72f6cb9e36f7a834e6371cfa1881182884d78b430d212f62dd3b053aa4c7d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAd1180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAd1180.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it999099.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it999099.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp762152.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp762152.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5012

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.161.248.142:38452
    kp762152.exe
    260 B
     5
  • 185.161.248.142:38452
    kp762152.exe
    260 B
     5
  • 185.161.248.142:38452
    kp762152.exe
    260 B
     5
  • 185.161.248.142:38452
    kp762152.exe
    260 B
     5
  • 185.161.248.142:38452
    kp762152.exe
    260 B
     5
  • 185.161.248.142:38452
    kp762152.exe
    260 B
     5
  • 185.161.248.142:38452
    kp762152.exe
    208 B
     4
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    72.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    72.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAd1180.exe
    Filesize

    406KB

    MD5

    da9be14a76bac6a21e5fd2486744e235

    SHA1

    cd4e5c29b827dbc5455497a69b96e94e22edfae2

    SHA256

    8bb287da0f04da2f2a468e14c19d8088bcd1bc936e4f4668214339bb94f72845

    SHA512

    abdd2ebfc28f5e5fb10544e280678f57ab69f3185acb53718aef98b7e45c578b7ce533ff030a47e64e04ccc13000e0b072ef130f90c81ff68fd521edeeeff342

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it999099.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp762152.exe
    Filesize

    353KB

    MD5

    0ff770222648b0a870bc90d75a97fd4c

    SHA1

    577080d4a744c60ccc3160c1c66313d6112a9a21

    SHA256

    2cd922e989d4908c6264f2a60c555118c8ef0f29033786e05e103abcce12cb0b

    SHA512

    60a57688247b15cc039c0ba5daeb092e9904508a351dbe865e425f189a04c022663bec292d040f6dc3f3b8e991dbc9ac8e88b7d2117ee8117e77d37dba587393

    Download Submit

  • memory/2844-14-0x00007FFC2FA93000-0x00007FFC2FA95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2844-15-0x0000000000250000-0x000000000025A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2844-16-0x00007FFC2FA93000-0x00007FFC2FA95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5012-64-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-52-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-24-0x00000000071A0000-0x00000000071DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5012-36-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-38-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-88-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-86-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-84-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-82-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-80-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-76-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-74-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-72-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-70-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-68-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-66-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-22-0x00000000049F0000-0x0000000004A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5012-62-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-58-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-56-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-55-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-23-0x0000000007230000-0x00000000077D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5012-51-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-48-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-46-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-44-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-42-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-40-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-34-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-32-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-30-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-28-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-78-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-60-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-26-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-25-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5012-819-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5012-820-0x000000000A490000-0x000000000A4CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5012-818-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5012-817-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5012-821-0x0000000004CB0000-0x0000000004CFC000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.