Overview

overview

10

Static

static

3

6d46c2ae32...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d46c2ae325a0e05b7e7bfcbf8b3569931818346fe446ac6a36d0feb1d4be7e8.exe

  • Size

    704KB

  • MD5

    baaef720234f2b6d61f28361503a7ced

  • SHA1

    e346a588cd4931806a2627bb2d1314c7fa22f6bf

  • SHA256

    6d46c2ae325a0e05b7e7bfcbf8b3569931818346fe446ac6a36d0feb1d4be7e8

  • SHA512

    a197aa413651a2372df3c3f6fc4999a3ba14cd7620279aa0de0c0149424d7c9a49988c55e7bae08b80bc4f1f97a4d51f2f3e71e5bcdfc8f5bffe3d6cb60bf669

  • SSDEEP

    12288:By90Qug4dfFmyisxZOaR1lX6lthUqPt2xQT+rMTd5g++BVRjknTj1CEt+Zm:ByJ7sfFmDsxZZlKHhrV2lrK+Tg31CE3

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d46c2ae325a0e05b7e7bfcbf8b3569931818346fe446ac6a36d0feb1d4be7e8.exe
    "C:\Users\Admin\AppData\Local\Temp\6d46c2ae325a0e05b7e7bfcbf8b3569931818346fe446ac6a36d0feb1d4be7e8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236234.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236234.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\06616747.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\06616747.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1088
          4⤵
          • Program crash
          PID:1676
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk977664.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk977664.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4464 -ip 4464
    1⤵
      PID:1912
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:2196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236234.exe
      Filesize

      549KB

      MD5

      24c8c733cf3cde29a63d02ecf4e93171

      SHA1

      4f5b55ee72c5f913d701069e0f095c502725cd23

      SHA256

      144d750e798e32e3f7eb7d18e09b735e7a77a22ef4ae080c911b33edb4327427

      SHA512

      96a958af28e6eaa144e8f19f096c94994f013cea99b26df4219cc4d6f737849f0993a7ca97b6ce202f97eeb09baf1372ba4762b3b5f1d4f971eea6ebd146f3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\06616747.exe
      Filesize

      282KB

      MD5

      7c006c31749ebaee42cc4393bc2d6b32

      SHA1

      8d282d0b6ec8f58a6074354f6b53b59fdfdc4963

      SHA256

      01567bf34f7a755ae677825a150700289efc44ed58b3fa4e4a056c43c6d6be32

      SHA512

      fd34584bb1c0772f5a030018cfbe67d5e5a966230cd89563865710eb1d8c38de07ebb675570204776a7afa4f79a33d2c24fa3baf7c5b77c05e313a27259daad9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk977664.exe
      Filesize

      365KB

      MD5

      f1ada15cfdb390f9e72604660aa04b93

      SHA1

      f03e68de8e6e7f71a09af9267520ee7d240568d8

      SHA256

      c4c688fc1a77fb4fe2c5abb7e75270b232137224a2a2e23a00c7b9de2e55d83e

      SHA512

      4d9defc40a0c9b7870b1ef5eb2d5de09008af1283e510d963d242016ed5f5aaa6f3fac8e9adad50c0b2e4dae837948cf3c5d27c2a543586d12b0b598061d67f6

      Download Submit

    • memory/1292-94-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-63-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-856-0x0000000007BF0000-0x0000000007C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1292-855-0x0000000007530000-0x0000000007B48000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1292-78-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-82-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-84-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-86-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-88-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-92-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-858-0x0000000007D30000-0x0000000007D6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1292-859-0x00000000023D0000-0x000000000241C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1292-96-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-857-0x0000000007C10000-0x0000000007D1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1292-64-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-66-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-68-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-70-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-80-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-90-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-74-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-76-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-72-0x0000000005000000-0x0000000005035000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1292-62-0x0000000005000000-0x000000000503A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1292-61-0x00000000049B0000-0x00000000049EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4464-43-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4464-55-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4464-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4464-51-0x0000000000470000-0x000000000049D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4464-50-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4464-22-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-23-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-25-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-27-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-29-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-31-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-33-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-37-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-39-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-41-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-45-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-47-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-49-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-35-0x00000000025A0000-0x00000000025B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4464-21-0x00000000025A0000-0x00000000025B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4464-20-0x0000000004AC0000-0x0000000005064000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4464-19-0x00000000023F0000-0x000000000240A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4464-18-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4464-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4464-16-0x0000000000470000-0x000000000049D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4464-15-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download