Overview

overview

10

Static

static

3

0ebd867317...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ebd8673174e96dc064cfb896ae8470b1f985f020403aa0032e36ee6529a807a.exe

  • Size

    746KB

  • MD5

    051691e70dc83d1db539e3e0b132c078

  • SHA1

    8713979cce86db6b29061be679b49f39dafd3421

  • SHA256

    0ebd8673174e96dc064cfb896ae8470b1f985f020403aa0032e36ee6529a807a

  • SHA512

    0754005e7eebbabb82fe96f24f1b7bfcddbb35ff55106a8670e67e45b420c21acfe706f047c5717ed0536edd51428365efc5c98a50bd6ad858f68c519ab2c5d0

  • SSDEEP

    12288:+y90ZjiWJR0x1rkk50FtU3lIQ+E2Q/459pyBtXCT9+FAUg+BUQ:+yaox550E3KQ+E282CXCTYFAU32Q

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ebd8673174e96dc064cfb896ae8470b1f985f020403aa0032e36ee6529a807a.exe
    "C:\Users\Admin\AppData\Local\Temp\0ebd8673174e96dc064cfb896ae8470b1f985f020403aa0032e36ee6529a807a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un814522.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un814522.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\73387070.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\73387070.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1048
          4⤵
          • Program crash
          PID:5088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk363978.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk363978.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4600
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1724 -ip 1724
    1⤵
      PID:4120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un814522.exe
      Filesize

      592KB

      MD5

      021b9a9c33517f8ea3ab1b69da529b38

      SHA1

      b06cc095cd7a235813f15f7726e51da82bbe3903

      SHA256

      f74ce3a04c490d034929ef9e6530fe7112f77e31a2af1af8040428c4f19862a8

      SHA512

      bfaa3d7e55bd6f0d2370b6f09f3d03f892e06ec4acac84c7ded15851c7dd6757e081b01d5c81eed1dcb9c0ee504e577bc30221e102c9690547160a361d93c8d5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\73387070.exe
      Filesize

      376KB

      MD5

      e58aa474d2962dd2d1776d916005dd05

      SHA1

      195c71c8489807439652b140f46e0eb4cb0dcbbd

      SHA256

      19510e4af16a280719cd7dac17b303a1b6c27194bc057f9099fb7aa068b68bf9

      SHA512

      8eca3d2d6502798708ffcf417a243c6b56f9247d15d54f4f30739299f1e0553e16195dd12d6e46f738540df96ea08c7001bc5ce9dfd19aa6977cd7c9c86dea9e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk363978.exe
      Filesize

      459KB

      MD5

      c6ea4fc3006123c72d0a4503c1b5ab85

      SHA1

      243222883237cf788a31b16b49847b842f3b690d

      SHA256

      853cf5b8b71c0a1a9faba38ab85401ddf7e67aae9b48a3b2f1a7cafff76bb650

      SHA512

      a9d6951a2b1818b9800cb8a4ba8c21222874d0a339e36cdbb93ce730d4db183917e3c5b320f1d9cbf815264cda7f527bb90d228d796ae0221bcd7541637abacb

      Download Submit

    • memory/1724-15-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1724-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1724-17-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1724-18-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1724-19-0x0000000002510000-0x000000000252A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1724-20-0x0000000005080000-0x0000000005624000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1724-21-0x0000000002830000-0x0000000002848000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1724-33-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-39-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-49-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-47-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-45-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-43-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-41-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-37-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-35-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-27-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-25-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-23-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-22-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-31-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-29-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1724-50-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1724-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1724-54-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1724-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4600-60-0x0000000002730000-0x000000000276C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4600-61-0x0000000004E20000-0x0000000004E5A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4600-71-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-91-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-95-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-93-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-89-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-87-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-85-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-83-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-81-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-79-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-77-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-75-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-73-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-69-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-67-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-65-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-63-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-62-0x0000000004E20000-0x0000000004E55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4600-854-0x0000000007930000-0x0000000007F48000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4600-855-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4600-856-0x0000000007FC0000-0x00000000080CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4600-857-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4600-858-0x0000000004950000-0x000000000499C000-memory.dmp

      Filesize

      304KB

      Download