Overview

overview

10

Static

static

3

6bf4271e2e...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe

  • Size

    560KB

  • MD5

    b55fa82983433480ffe7aedb1529bef0

  • SHA1

    a9331f76ae666d1e07fb241f7dac16f959c51ae7

  • SHA256

    6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74

  • SHA512

    d76af76093c113e2be40dd496c58a311d3efe64daac0236392ed59e6995b2d06ec7e2534e1c78d3a17ae04533ba19ed29973467bebe6172f6b510248389d3a78

  • SSDEEP

    12288:Jy9003w+iI2gq0EsH6e333S09SB+zaoQcAv5:Jyxw+iI2g3Ean3S0OGY

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe
    "C:\Users\Admin\AppData\Local\Temp\6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPY5879.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPY5879.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it841372.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it841372.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp585354.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp585354.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPY5879.exe
    Filesize

    406KB

    MD5

    3da021e03249734a4a2f6008e1a343c0

    SHA1

    81aef62e617c7f185b712bb464fdf9562d716bb5

    SHA256

    50937c650ff9d5c5f70f49f578fc8faf83dee25815cfb36c0015eec7a46bcc56

    SHA512

    2fad742d227904e1c9c193fc23d479ea19c2a55ebaca8ac63f5fafb78000ff354f6de8c1f039b0cd2b281ea723a03ea20eebf4c6a75ff1c9bd4ca1f71f6458a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it841372.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp585354.exe
    Filesize

    352KB

    MD5

    3c6e0a6c1078e0ec0421fb3e5e8a34db

    SHA1

    86556566df69a8a841d9e0a2678de6bc2f3a6d26

    SHA256

    4e6d8e52e28e0e9de648cfc114cb56c94f79c2bd4f44bec45ab550dd5e7f90b3

    SHA512

    89b633ea404a836368289537d3458b564fe31c661f7fd4e0c4fd7a8957d08d66af668c30ebc28b1d2f055478fb5f8b971d4cfb688a94c1e4e99a0bf6b471a9d7

    Download Submit

  • memory/3860-61-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-56-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-21-0x0000000007120000-0x000000000715C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3860-22-0x0000000007280000-0x0000000007824000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3860-23-0x00000000071A0000-0x00000000071DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3860-27-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-35-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-87-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-85-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-83-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-81-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-79-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-77-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-75-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-73-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-71-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-67-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-57-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-64-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-820-0x0000000004BC0000-0x0000000004C0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3860-817-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3860-60-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-65-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-53-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-51-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-50-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-47-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-46-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-43-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-41-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-39-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-37-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-33-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-31-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-29-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-69-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-25-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-24-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3860-816-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3860-819-0x000000000A490000-0x000000000A4CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3860-818-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4484-14-0x00007FFEF0303000-0x00007FFEF0305000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4484-15-0x0000000000910000-0x000000000091A000-memory.dmp

    Filesize

    40KB

    Download