Overview

overview

10

Static

static

3

7b6b5519e9...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b6b5519e9035d4dcbe2f452ece6c81dc6d1668e6dfa3b479871176dc4a5f6f4.exe

  • Size

    1.5MB

  • MD5

    c25534cce0573ec5a557ac63b6e535bb

  • SHA1

    5306ed3a3760e87ad69928b6d7f62f9191514833

  • SHA256

    7b6b5519e9035d4dcbe2f452ece6c81dc6d1668e6dfa3b479871176dc4a5f6f4

  • SHA512

    0f4b982d75782404810feb3516ad5918b64b3fdd88d001305cf99d167e6a6ba20479e9e16ec674652c2983d4158dcf2ca903e9a6c0568fd94d242ad66ddcbed4

  • SSDEEP

    24576:SylsdYbTznSk0HKjOM3/5IdYtVcTKxWcE4Flo6PTyEbNkCXiUd:5lVGTu5fKTKU740IyEZ1

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b6b5519e9035d4dcbe2f452ece6c81dc6d1668e6dfa3b479871176dc4a5f6f4.exe
    "C:\Users\Admin\AppData\Local\Temp\7b6b5519e9035d4dcbe2f452ece6c81dc6d1668e6dfa3b479871176dc4a5f6f4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9228233.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9228233.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6184766.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6184766.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3207199.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3207199.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4392
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2642664.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2642664.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4232
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1356055.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1356055.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2080
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1088
                7⤵
                • Program crash
                PID:872
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0051285.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0051285.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2080 -ip 2080
    1⤵
      PID:1520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9228233.exe
      Filesize

      1.4MB

      MD5

      e44efca51331adb3458dfda5f1e5eb50

      SHA1

      b6104eb0a17c71fc07b526a2b7b33a1ec341c3c0

      SHA256

      4f3475b7b25e2071b22881804b3e2075885ade8d16134095e99bd716275c6c0d

      SHA512

      e11fb88c52e38ac91652fa1efa7b1a96e65ffc561ff040612d5a030efec00518b764bc31070d8418e161b87cef8fb4a461f1559e948b9d7630d4a3cca273295f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6184766.exe
      Filesize

      915KB

      MD5

      8217c4e6e394d51bcdc51860b7e06a17

      SHA1

      611f2d23a2c16d945068a1d0ad23573e8673f0e7

      SHA256

      cff99385e8985a1a483f4c89057360b9478ef54ba3bc04636029fd365914c010

      SHA512

      5b5c026afef7283f748fd4a3946a5d85906fda08b6763b58eae07241effcc105d701f514b2731a947df861d06c4e111f8b1ac2a9d7d89e27d9c3d9947f53f65c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3207199.exe
      Filesize

      711KB

      MD5

      54bc5fdfa23c18286783474905a059d9

      SHA1

      89830f02a949ebf0c64eafbc94d3b5fada92d941

      SHA256

      891d1d4f2d539592f6a2d39e29e035d5288fbcf8b370546ad441a64a371bc230

      SHA512

      c7cf3fa2b8487f2974a66b36f4f26a9bf50a19c8bc39f51a518e44ab424792e3b83d7506f35d20b5b6784ca2317c910dccb05be76501c076a9e681cb4c94ed21

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2642664.exe
      Filesize

      415KB

      MD5

      fc5a8b2adcd9c4bdf3dc3858c3377599

      SHA1

      244b5e1287b982a71a83108d8fe4b3e1da8f5db9

      SHA256

      5219adccbd4a0e5c91d42a726a47f807fe2be3ed66c7e599069c1a0a9353fa5f

      SHA512

      8f44492a4f1e540e7c9031dabcf7de9a0ebec2ccc4426b6472fcac516447faf9e39c3ce80685a0e3d0d03ad2f9c5ca2c6a67d246fe7039e1c4643074798f2f26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1356055.exe
      Filesize

      360KB

      MD5

      8fb5674a314713fac5dcbe096b5cf726

      SHA1

      f14d9fad0c9650cd88238e6947356a74c13bea42

      SHA256

      371918bdad6325241f507f7324c2f06cb54d20fcf1e1096e1caebbd4eccde1f5

      SHA512

      d0f899e81b10d76d70031ccfd4d04089fe4772b325845abeb6aa0abcf85c4fdb4508285e024c55ceb996d98911a531955d41739a9b8be99a63274889d9dd7adb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0051285.exe
      Filesize

      168KB

      MD5

      ec061b347069bdcee68ac094e5ef6947

      SHA1

      587cc9373b5f7b6e96aea241bc0bd884861ace32

      SHA256

      f64edbe8f86d9645d8c0490b92a40f5cb18f7c687f98bba19e105f3b2bb995aa

      SHA512

      c98719c305e623b9fb49300ae90301a0eb05648ee2681d77954ecdb5048e48cfcaa0e35603cb9299da8cf10a61e3601f5880761562ef24be94f1fad2fe4b8e5e

      Download Submit

    • memory/2080-50-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-44-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-60-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-66-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-64-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-62-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-59-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-56-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-55-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-52-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-37-0x0000000004DF0000-0x0000000005394000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2080-48-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-46-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-38-0x0000000002830000-0x0000000002848000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2080-42-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-40-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-39-0x0000000002830000-0x0000000002842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2080-67-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2080-69-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2080-36-0x00000000025D0000-0x00000000025EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2092-73-0x00000000005E0000-0x0000000000610000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2092-74-0x0000000002660000-0x0000000002666000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2092-75-0x0000000005500000-0x0000000005B18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2092-76-0x0000000005030000-0x000000000513A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2092-77-0x0000000004F60000-0x0000000004F72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2092-78-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2092-79-0x0000000005140000-0x000000000518C000-memory.dmp

      Filesize

      304KB

      Download