Overview

overview

10

Static

static

3

5b74649c28...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b74649c28d48d39996857418e851462c555d280d9803eda0b11fb36eb70808f.exe

  • Size

    1.5MB

  • MD5

    0e5e19aa082452d19d4e1475e56101d6

  • SHA1

    4fdf6792d05c497a51c1787f7b052873c0a41d61

  • SHA256

    5b74649c28d48d39996857418e851462c555d280d9803eda0b11fb36eb70808f

  • SHA512

    ba414d1a2da0421fc823ab708756af73f936dc5e1363ec783e48f36a74cc1936e10c75ec5907748af24bd7fe0d366adaa4bfe7a688dd7bffbf9e6ede444e2b2f

  • SSDEEP

    24576:Gy6clTwtdvd8YUjgSyLafLayF8u4zzzN3aVs5JmYS/20eea0EIgUKAEAONwK:V6cettd6eLeGygMVsTXO+TtIfp

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b74649c28d48d39996857418e851462c555d280d9803eda0b11fb36eb70808f.exe
    "C:\Users\Admin\AppData\Local\Temp\5b74649c28d48d39996857418e851462c555d280d9803eda0b11fb36eb70808f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8527527.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8527527.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7140261.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7140261.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4796270.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4796270.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8436102.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8436102.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3464
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0653568.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0653568.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4488
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1080
                7⤵
                • Program crash
                PID:5084
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2028312.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2028312.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2732
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4488 -ip 4488
    1⤵
      PID:2240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8527527.exe
      Filesize

      1.4MB

      MD5

      f41ba285bcf277e58d09f86a65848df1

      SHA1

      30b89a05e7ada365486e124126633277d76758f3

      SHA256

      a527a1655cee605b02dd54b493778cc87b43902520fd197c25e2d889f8117ab2

      SHA512

      185ea46650c474753b6fc41125e4109e1711ae041f92a57119873c62ad05ec9e673fe3a523408fe584ed39352db340da1afbcad362589d9fc10acabba29f6393

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7140261.exe
      Filesize

      912KB

      MD5

      26e3d1b844a5a8f15fa18f32440736cc

      SHA1

      893f3c9ea5a283371b6c22ac3a4ef381baa83b22

      SHA256

      62906150cf6df583f8e26297dfe2a779273987b3e423b5bac983107df0f64d73

      SHA512

      3783ca3a2a6474a3721da34412ab17f797e3c572dcdbf1bebdd418722aafcb922ff8c9b018973004f4db5025153a7a87093031c1f15947891a3bd630d2e8dd5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4796270.exe
      Filesize

      708KB

      MD5

      2d3dda185d3dae0fd8d15303c8971f94

      SHA1

      22e3e3827963fdf172403678e1031b20fa33639c

      SHA256

      c9f78b4ce19ca38b9ab4df3373d06be12b85ff5e7d9982fea73f8c2278e49fef

      SHA512

      7947944f88536de1022bfb6eed034c930c29ebd4e974268eb87c74210718cacace30a81829c06153dde0e3c2b708fac32fc19ff628f4aaca9cb4a4b7244a81a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8436102.exe
      Filesize

      415KB

      MD5

      79bbbf8123ce6e1f30604edaadf2aa9c

      SHA1

      9d0ed4ecb8f74f8f14c1a274142f38e72ca8d385

      SHA256

      5f3a6f892ede17d6773b8613540a90344bf1e9222b7150d4191b77fd275abc6b

      SHA512

      ff2a37b04a5a54620f98effe6cae427876af237be8d53f2e215ffe839e098b49faeaa658ff9eaba6630e10ec56f08bcc104e0caf5deacc05f1897d221de11d49

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0653568.exe
      Filesize

      361KB

      MD5

      b6b4fc0b21a8fb11448a3aa83f235a08

      SHA1

      33873b68ed25d0fe2de9f4b63fd195c01810eaf1

      SHA256

      294526d95ca13921949d4312d2111b21cba968a79074ca2e98fcc493f80e3879

      SHA512

      9501f52cd52fbdf833a3ebce3b83475bc6b183b3cbf8d2a12ddd551a0bc99c10f6e0f84bd010b3d5ec6c93fa734db4575deb99f4614b8627f96bda54bdab2d36

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2028312.exe
      Filesize

      168KB

      MD5

      322dcbc457ba7366d9fec8546e29f826

      SHA1

      aff3eb800f7211dc480c5d587926036fd85cbaa3

      SHA256

      e45facf005a426db0165f9221e64a98c7f3586209b1d929458854880821133c1

      SHA512

      781505ef2a682b050fd482de8d4aa148128e92c85505ca71ddf5a6eb1ee47c4da1e2ccf0300469dd98fedecd2cec5816ed5047a9ce1284e9f4df8a4dd1adfe13

      Download Submit

    • memory/2732-78-0x0000000009F60000-0x0000000009F9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2732-77-0x0000000009F00000-0x0000000009F12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2732-76-0x0000000009FD0000-0x000000000A0DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2732-75-0x000000000A4C0000-0x000000000AAD8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2732-74-0x0000000002340000-0x0000000002346000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2732-73-0x0000000000160000-0x0000000000190000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2732-79-0x0000000004490000-0x00000000044DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4488-58-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-44-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-60-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-65-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-56-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-54-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-52-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-50-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-48-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-62-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-67-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4488-69-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4488-66-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-46-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-40-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-42-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-39-0x0000000002800000-0x0000000002812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4488-38-0x0000000002800000-0x0000000002818000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4488-37-0x0000000004D00000-0x00000000052A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4488-36-0x00000000025B0000-0x00000000025CA000-memory.dmp

      Filesize

      104KB

      Download