Overview

overview

10

Static

static

3

333d7fd081...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    333d7fd0817ebb298968e84cf030057b30f334506a5f8029b7aa5542b94946ef.exe

  • Size

    1.5MB

  • MD5

    7d20f63f98e4f771c6f3dc08b41654a3

  • SHA1

    b3be7b245cd29c75fd25619bd78fbfaff7e88fa9

  • SHA256

    333d7fd0817ebb298968e84cf030057b30f334506a5f8029b7aa5542b94946ef

  • SHA512

    e7bfb4c0eedfd8a5e0f6283de0eb9b2c3eb8a5aaed6ec5dbbc85971ec916c5ee7f4270d9983e18a1028a9d4bbb322f402de21c25add95f0eea040437ce080a20

  • SSDEEP

    49152:qr9k1dpGGqDLxd1vBbnGW7qfAKoCjoCUC:a9EY/nDYfAK9o7

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\333d7fd0817ebb298968e84cf030057b30f334506a5f8029b7aa5542b94946ef.exe
    "C:\Users\Admin\AppData\Local\Temp\333d7fd0817ebb298968e84cf030057b30f334506a5f8029b7aa5542b94946ef.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9300320.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9300320.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4172688.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4172688.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6640287.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6640287.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3572
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2171270.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2171270.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1507266.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1507266.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4512
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1100
                7⤵
                • Program crash
                PID:2396
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6278784.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6278784.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4560
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4512 -ip 4512
    1⤵
      PID:3144
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9300320.exe
      Filesize

      1.4MB

      MD5

      4d8190516377b27154a108427097fc90

      SHA1

      4b49f65a161fadc48e52405d3b59f2443560c3e0

      SHA256

      5c03255ca12ddbc9d802889a0fe64e6ac3ecb9cc0ce735e1e3f90bb3b0aac55c

      SHA512

      bf0ccbfe91c217b79c94a7d1b8886be3915a7eeaba18a74762f11dbddca4333c63e5b2a413a78fbda90be08fb3bbf34721ff88b28f01739aa488d77c3a50fa05

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4172688.exe
      Filesize

      911KB

      MD5

      551a3481d6bce1307d989baed5fc0376

      SHA1

      1cde078ee2bf07b076381065618518d4be556b0f

      SHA256

      7220f07445b22363523e390e64335bc369db77a0152e2f4144cc97ecc73a79e6

      SHA512

      35014dd855fc354c44c70112e1d8e8306064ea7c36251a12ab2c1ba5de16b848bfcccc68bb959d2a16ab61ecd76e344a2a5f92f2b64bf81f1d772ecad63320b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6640287.exe
      Filesize

      707KB

      MD5

      dc3a18f64dd5f523497c6ba93b450d82

      SHA1

      fdea8751f24826904dfa7362e40b4abbed0a617d

      SHA256

      86f9243e06a4ecef26274fdd04c43582f2b711cff24afd5eb3c715a66e17c5b6

      SHA512

      9326bae26fb4274d37c87aa552c72f6bb1427b69fe11ec0ab8872cc919a29195be94a32f45850b6ba4852e189d5c1aa8bc6aa4499d94c677585e9b1366c0e9fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2171270.exe
      Filesize

      416KB

      MD5

      ead4a1556fb07ef27558fb9fff11de8c

      SHA1

      eb6a5e872686c7bf6558b72d48c104490657c111

      SHA256

      35f9a4e200344161a097ea97ed89837ae8a6227e124eadb02812c830827f224d

      SHA512

      57bac5b152ab4810f313edd42550a33af2c5bd4d38e5e617f1c8f9bfe18b33e38b912365415cb7cbbc1b8adb1a4fdac1f10f6431074347c8e62b2315cbf6b6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1507266.exe
      Filesize

      360KB

      MD5

      43973cbe7b59d7e436bfeb93fbb2c8ff

      SHA1

      696d82a965adf798e165f2544d44f3692c2473a7

      SHA256

      48473c31a27a3e5a2cee94495b900680bf97060a31a0aa3b682ec9281d793d0e

      SHA512

      19773d4dc098fc1cff86eb43b5b46d2fa8bc2258ef4d56718c44d70d243ac1aa9c314b792bcb74e3cbe7c9dabe6031783683c064a3742aacf3dd69f013b126f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6278784.exe
      Filesize

      136KB

      MD5

      275f87317241545c6ce4cf381a83fa4d

      SHA1

      5bc8695f9e0c264296bf571991e31bc0d4d8210a

      SHA256

      c964b834589bbcd4a823b668d03d19c6cbaac9bb154ee3d9589b993230be161d

      SHA512

      203e2fbc75bcb68b8339e75ac7afcc24a36b5c75a2c04342a38424ec9b01b4732d79d509dd5fd3ed4d420fab46c8a8da0c3540c33f378eb4c4b2af826b66b554

      Download Submit

    • memory/4512-39-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-46-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-37-0x0000000004E90000-0x0000000005434000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4512-64-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-66-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-62-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-60-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-59-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-56-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-55-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-52-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-50-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-48-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-38-0x00000000024F0000-0x0000000002508000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4512-44-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-42-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-40-0x00000000024F0000-0x0000000002502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4512-67-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4512-36-0x0000000002460000-0x000000000247A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4512-69-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4560-73-0x00000000005D0000-0x00000000005F8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4560-74-0x0000000007870000-0x0000000007E88000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4560-75-0x00000000072F0000-0x0000000007302000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4560-76-0x0000000007460000-0x000000000756A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4560-77-0x0000000007390000-0x00000000073CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4560-78-0x0000000000C60000-0x0000000000CAC000-memory.dmp

      Filesize

      304KB

      Download