Overview

overview

10

Static

static

3

9e429c3bd9...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e429c3bd96f67dd16931c4799a1d9aa607005fe0272b6e66055df48a548eea7.exe

  • Size

    308KB

  • MD5

    22e4af0d94fc7614776ae95c56cd9203

  • SHA1

    2b7adc9b99da7a4309c9eb20503f9e87dac7daf9

  • SHA256

    9e429c3bd96f67dd16931c4799a1d9aa607005fe0272b6e66055df48a548eea7

  • SHA512

    4282c6d5d1f1b01069858d974495b9cd905d481fb9c53ec78f873eca9f67027ff8baa3588908ec0b7603971673c250b3ea7a0dd8dddec7cc4638d3a75290eb16

  • SSDEEP

    6144:K0y+bnr+Np0yN90QEOlEY+zbPsq4JIR7wFvNl/fQGC:YMrBy90Mb+zZeTTl/G

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e429c3bd96f67dd16931c4799a1d9aa607005fe0272b6e66055df48a548eea7.exe
    "C:\Users\Admin\AppData\Local\Temp\9e429c3bd96f67dd16931c4799a1d9aa607005fe0272b6e66055df48a548eea7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g5728869.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g5728869.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8034776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8034776.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1572
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g5728869.exe
    Filesize

    176KB

    MD5

    fd73b03affc18539f613ec8091ea7d74

    SHA1

    75ef85d970e639d87fc69c5742c0caee4d6d5095

    SHA256

    806bd5812a5561b7043b47daf7d5c77de7a133a266ac42a9ea5ce50f6cc03e5c

    SHA512

    a0f05cc1d9ab1dfc89f9559e248e670f6836743326c5d3da405b811c1fa2eccb72be0cd5b3a64864a7c944393f278e7b0157f742b26b715f1d284303a1e6716b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8034776.exe
    Filesize

    136KB

    MD5

    91491dccc84b35cfd86a78481f18b47d

    SHA1

    adada99e12fd55bdb936b58274f800623456f5ff

    SHA256

    4df1a0558ae94a086256e42f7d3c3cceb938667381f6b5dc86c444bc5e8e838b

    SHA512

    84a82002d00963af5b1d93a53a39b4a7a2839966f3e78e7e15a1af8471395b9888cf7010f6399eb6ea2845ca039e2bf9056b333965561a448765c750fe2aaf66

    Download Submit

  • memory/1572-55-0x0000000007940000-0x000000000798C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1572-54-0x0000000007900000-0x000000000793C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1572-53-0x0000000074990000-0x0000000074A3B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/1572-52-0x00000000079D0000-0x0000000007ADA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1572-51-0x00000000078A0000-0x00000000078B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1572-50-0x0000000007E00000-0x0000000008418000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1572-48-0x0000000074990000-0x0000000074A3B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/1572-49-0x0000000000B40000-0x0000000000B68000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2396-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-12-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-17-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-15-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-13-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-41-0x00000000749EE000-0x00000000749EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2396-42-0x00000000749E0000-0x0000000075190000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2396-44-0x00000000749E0000-0x0000000075190000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2396-40-0x00000000749E0000-0x0000000075190000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2396-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-11-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2396-10-0x0000000004B60000-0x0000000005104000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2396-9-0x00000000749E0000-0x0000000075190000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2396-8-0x00000000025A0000-0x00000000025BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2396-7-0x00000000749EE000-0x00000000749EF000-memory.dmp

    Filesize

    4KB

    Download