Overview

overview

10

Static

static

3

2a286b5636...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a286b5636b83346d0330ec3db01d4c5b7cbf08f26eb83755ed68d8ff36290e1.exe

  • Size

    965KB

  • MD5

    50f39440525dc1eb7fc72385c7b3fc70

  • SHA1

    2aa52b4f491c5a05a1e1a6522b894d610fa8631c

  • SHA256

    2a286b5636b83346d0330ec3db01d4c5b7cbf08f26eb83755ed68d8ff36290e1

  • SHA512

    a92802bc367f0b4844e22dc02ca6c2813844cc6570b1391be3a3eea62c4112f08acb0ee73c50efaddf7d221ec7845c35f4ebb760c4fbddbd368059404629d6e5

  • SSDEEP

    12288:+y90lxesi8fzbRJtwGDaHX5ScBK1c3Aig8sgrofUTOQxe1EJ7VmO7wbtcoEuVM7W:+yCesiUzXtrn1c7uUTbj7v7KZrM7xFO

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a286b5636b83346d0330ec3db01d4c5b7cbf08f26eb83755ed68d8ff36290e1.exe
    "C:\Users\Admin\AppData\Local\Temp\2a286b5636b83346d0330ec3db01d4c5b7cbf08f26eb83755ed68d8ff36290e1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un936706.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un936706.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un742475.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un742475.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr092108.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr092108.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4040
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1036
            5⤵
            • Program crash
            PID:3084
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu593066.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu593066.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4040 -ip 4040
    1⤵
      PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un936706.exe
      Filesize

      706KB

      MD5

      78d0482d377fcc798ee17c22c23b2ce4

      SHA1

      f776ebcf2f2d2751cc1b5ace488d4d0dcfc5643a

      SHA256

      59a63703e3d41755c1025156382c7d1ad168d0ca9088121f13c81468c6914467

      SHA512

      bb2fc11a87afc7d233abb33a247d831744209f8b0a17aae628bcad3411460aca1bdd08cfe7e7a842befe294837d6c844baed0d058eb6de883b6ab68d5067dcfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un742475.exe
      Filesize

      552KB

      MD5

      c71390da113992e37d036e5e1f0c095d

      SHA1

      68fbac5aba438c7706bcc7c0a8637986caa93f86

      SHA256

      a4ee99468fdef4fe0418814cac7cedf789e1ac9eb458a4108d95b17f35a43c2f

      SHA512

      bd389970124a01e8797a9c93630e8d58bf41cb330e74cdbcba5f8146922586353cd835da0275cd1d29538ef6b88d2a5bbfb4f44f8089da0771e02771d0db8fcb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr092108.exe
      Filesize

      299KB

      MD5

      ba90206440a1c6478e0bd41bf4088f4a

      SHA1

      f9bff7854790b24e0ec25068fd6a780ad43c0136

      SHA256

      78f3a055cb2991da63417eb8f3f6703f5297c79369bd0c0b2e732f0a682fcf47

      SHA512

      c17a6db5d2d003a957245bd087f06b9b04b6afe33e4ed5822d015e227caec1e76b8c245a8c2a266f85e6eadb8ac40a5e0ec5f6bc990542b1c112160426c8836f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu593066.exe
      Filesize

      381KB

      MD5

      089ed7f82369b121949e3bad3cf1bb79

      SHA1

      d8e87495dd3a3059029354f45c5913bc71f9203d

      SHA256

      0214a4a5b97ffc7acae654852c0e0eedcc1540b6d1ac504a9aa7a9e7acdf9a15

      SHA512

      3c3bbfe0d95e940c3be3d43c33dede83432719cfd8addc24979d803a16c007e590efe23a4769b3ae4893f8298c74e0cf8abe55fa62607c5e488f1af8c3034fa8

      Download Submit

    • memory/4040-42-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-40-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-25-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-52-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-50-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-48-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-46-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-44-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-23-0x00000000071D0000-0x0000000007774000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4040-24-0x00000000049D0000-0x00000000049E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4040-38-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-36-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-34-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-32-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-30-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-28-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-26-0x00000000049D0000-0x00000000049E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-53-0x0000000000400000-0x0000000002BB4000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/4040-22-0x0000000004800000-0x000000000481A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4040-55-0x0000000000400000-0x0000000002BB4000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/4516-60-0x00000000048C0000-0x00000000048FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4516-61-0x00000000077C0000-0x00000000077FA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4516-73-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-75-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-95-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-93-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-89-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-87-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-85-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-83-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-81-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-79-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-77-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-71-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-69-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-91-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-67-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-65-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-63-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-62-0x00000000077C0000-0x00000000077F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4516-855-0x000000000A350000-0x000000000A362000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4516-856-0x000000000A370000-0x000000000A47A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4516-854-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4516-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4516-858-0x0000000004A20000-0x0000000004A6C000-memory.dmp

      Filesize

      304KB

      Download