Overview

overview

10

Static

static

3

9d3e3e1ed2...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96.exe

  • Size

    1.5MB

  • MD5

    426cd7a828f1d5c78f56566eaafc464a

  • SHA1

    13774e4abdb2b7eab552115f4b8a7b21000aeb3a

  • SHA256

    9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96

  • SHA512

    f3b180d5015c1b9b2a0986a6bcc93bebe72ae79aaca74c73fade30a87650e8a3edceee2012c32477004966f12d740dfa9552a342bc62e59c6f6e7772656e452e

  • SSDEEP

    24576:tyba/LCuFViW7RESuBr4EMn2mVmdN9tREN+qgKi1aqSbMKebotchawH9juy1uk:IoLXF80ESwUE3mV6FbvOJogc8m9n

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96.exe
    "C:\Users\Admin\AppData\Local\Temp\9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4820664.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4820664.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8282383.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8282383.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3796
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9907076.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9907076.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5444262.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5444262.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6783520.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6783520.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:464
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1088
                7⤵
                • Program crash
                PID:1648
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7530801.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7530801.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1084
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 464 -ip 464
    1⤵
      PID:4612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4820664.exe
      Filesize

      1.3MB

      MD5

      e375d5d523e109a497744cb9c315b33a

      SHA1

      af8ee70218aa1ee1b15dd0c153412d4006220718

      SHA256

      cdc09ea7a73ce8ec0e4c2d67c730262da9f21ad5c919e78fd1514000df15542a

      SHA512

      4d395f5fee2e84fb3bb4eebad008dedb298c9177b0a3fbe80205a4345e709694740237fee08bae5c8e643416655138ade3b4757b279438c83f8a33e908b2da9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8282383.exe
      Filesize

      867KB

      MD5

      9fb561677a3a3d80fd3c4e8e9a321483

      SHA1

      9edf61ac5ef54e9a747fac483161825afe70e17a

      SHA256

      3541a3fbe8c3f767394541e5e8d9d2bf85a4ffb6ec2727504e029a3c2906934f

      SHA512

      63b74e7b32ede228dcdf37f265a7ece45130c28e91a6e9c158df59641efc710f2cb569ab947427a3a1c11717585f4cc1cce44d2636661a182b927835ef43da28

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9907076.exe
      Filesize

      663KB

      MD5

      01151922166beda708a97b7b7918dc29

      SHA1

      c99daf86382e9c67d93ce6248112aef490b49ec3

      SHA256

      f5e82e333a47e7f88494d1eaa8a27a8fc1853e3e141eeac8ec5c9d20735e0e01

      SHA512

      7dec40e741a440ab70c149c3dced7bcf5abe87e418b05c75407fc5933aed71318ae70655de10e36b3571a646d9e0227056d265802cb6af3a8f9a4f8b76158e2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5444262.exe
      Filesize

      393KB

      MD5

      895c96cad6cf38a90ba630a548e84291

      SHA1

      2ac58c450662818b0cb7290b6695644a2e304c41

      SHA256

      a25f9355c5155801aadab3b263913d873b832011f017252bdf309fd30c963471

      SHA512

      82955615b72a71306e2758c7628b7ae55cfb6486e94eb0998affedf9ff1b1b2c52bcc96cd8e331ca7ebf8fe5b702b3d8fe56e9d961dc0ce484bab70f25f690e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6783520.exe
      Filesize

      315KB

      MD5

      a54f0a4c4d0579189aa482bb8cd8231c

      SHA1

      48dab2bf24fb29bcaaa9b36b2962dfe0d7eb6f0b

      SHA256

      7b13d2dff031a163e5fb8040fb9f3325b0c88c0c4e628a22acfb9bb1265fd79a

      SHA512

      f7a3c12a19e45f76bd4d549cf7dafc20ddef158a4edd6bfc64c01ff6cff26e39f6539423ba8848547d6bb3a3b9385f0a53ec43102f1783aa6b6524b9c2d39d00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7530801.exe
      Filesize

      168KB

      MD5

      f6eaa099e245fe7623e81090b3e89e39

      SHA1

      a4f2dde0c04c98f786d2771ec03acfb23cf047b0

      SHA256

      322504e3e7c8cac9502f695c71b46ac30c67ffec5ae7812eab47e04fa9c6c205

      SHA512

      93ed7704103614fe8cd02cbd453f9ce7c09160215f1937c7487727b14d9fdc28d399191e417d7b8f40220f2eedb52ff074a85fef39ae3b0fa0e78085d5333afc

      Download Submit

    • memory/464-50-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-44-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-66-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-64-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-62-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-60-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-58-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-56-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-54-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-52-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-37-0x0000000004B40000-0x00000000050E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/464-48-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-46-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-38-0x0000000004A20000-0x0000000004A38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/464-42-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-40-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-39-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-67-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/464-69-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/464-36-0x0000000004960000-0x000000000497A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1084-73-0x0000000000DF0000-0x0000000000E20000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1084-74-0x0000000002FD0000-0x0000000002FD6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1084-75-0x0000000005E00000-0x0000000006418000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1084-76-0x00000000058F0000-0x00000000059FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1084-77-0x0000000005660000-0x0000000005672000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1084-78-0x00000000057E0000-0x000000000581C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1084-79-0x0000000005820000-0x000000000586C000-memory.dmp

      Filesize

      304KB

      Download