Overview

overview

10

Static

static

3

7ff9c28653...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ff9c286537ac802623c2bc426718f990a8cccca6fd00389bf2099b674efa32e.exe

  • Size

    702KB

  • MD5

    41d31193db3171b873b5dc607753c409

  • SHA1

    d8c1fe233bc73e84e4b6ed5443c97850913d0890

  • SHA256

    7ff9c286537ac802623c2bc426718f990a8cccca6fd00389bf2099b674efa32e

  • SHA512

    e8a1d320bbfda862a75875c2ed8a326ee7cffb5a2178747ad552eabaef24069f463422f6dc24001879e2992d8bef62e5eaabdc15274418cb6f3cee28bb0fa28e

  • SSDEEP

    12288:Fy90xV71VHiGRzPD54sOnkM3e0E8srrF18iWFEG2Qo9w+NTCjXghBidqDo:FyK1VCOL5TOerfZ66Giwamsedf

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ff9c286537ac802623c2bc426718f990a8cccca6fd00389bf2099b674efa32e.exe
    "C:\Users\Admin\AppData\Local\Temp\7ff9c286537ac802623c2bc426718f990a8cccca6fd00389bf2099b674efa32e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un132756.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un132756.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02800867.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02800867.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1084
          4⤵
          • Program crash
          PID:4228
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk433585.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk433585.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4960 -ip 4960
    1⤵
      PID:5020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un132756.exe
      Filesize

      547KB

      MD5

      23a217535e8a52a476849b75efa01b18

      SHA1

      372c4824a31a52b3b80fea06576daee105dd71ff

      SHA256

      0ab5bc72c5b3bfa3627f870c56330c7195cb678f406d91bbf1b10ac05704d07c

      SHA512

      02d75b348329622b01285db9b528ef261d45987ae79f4355d967d95209d7d3a49472ee5690198499a01b081e13f713c0f94386faf0db27c861365928b3760f35

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02800867.exe
      Filesize

      269KB

      MD5

      ca533fa154ff8bc8af96c9b7eac4363a

      SHA1

      fe64326d41bebec7da308d485bd12a7b3790f751

      SHA256

      f157a1f48e0b049f6bcded30c0e4b5c8d604eaea53b5343d1d5687abbb97a778

      SHA512

      bc796712596f8b08787604c24f30b18d5340b6418633bd5e4a6b6685919be07407c702ba33706ce56beb6ffe41e07cc478be2cef38614bde809b61853232e6c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk433585.exe
      Filesize

      353KB

      MD5

      ea7245861126d8db4c871d8a61893a30

      SHA1

      86c778b90f3c61c797ee071fa523f03d0f660ae6

      SHA256

      5748598c547dd39a1bcd84df844a193b173182fe3d4809edea4961ff6a9aa779

      SHA512

      0736496df392f93e47564ed9d5db7a9b75f48ec830a3854c0ee8fcd8fbc24d77cdbaa58bbd90692f234f2e2fe53ed625b750e0267b6a913cbbca108b3779133e

      Download Submit

    • memory/4884-71-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-80-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-855-0x000000000A350000-0x000000000A362000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4884-854-0x0000000009D30000-0x000000000A348000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4884-62-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-77-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-87-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-65-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-68-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-69-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4884-858-0x0000000004B40000-0x0000000004B8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4884-75-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-856-0x000000000A370000-0x000000000A47A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4884-81-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-83-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-85-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-89-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-91-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-93-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-95-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-73-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-63-0x0000000004D50000-0x0000000004D85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4884-61-0x0000000004D50000-0x0000000004D8A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4884-60-0x00000000049C0000-0x00000000049FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4960-40-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-54-0x0000000000400000-0x0000000002B9E000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/4960-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4960-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4960-50-0x0000000000400000-0x0000000002B9E000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/4960-51-0x0000000002C80000-0x0000000002CAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4960-49-0x0000000002D30000-0x0000000002E30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4960-22-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-24-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-26-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-28-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-30-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-32-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-34-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-36-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-38-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-43-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-44-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-46-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-48-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-21-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4960-20-0x0000000004BE0000-0x0000000004BF8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4960-19-0x0000000007270000-0x0000000007814000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4960-18-0x0000000004B70000-0x0000000004B8A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4960-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4960-16-0x0000000002C80000-0x0000000002CAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4960-15-0x0000000002D30000-0x0000000002E30000-memory.dmp

      Filesize

      1024KB

      Download