Overview

overview

10

Static

static

3

e76f448e5d...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 05:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e76f448e5df1bb893e3bf541568f0a97c357479b2fe29a59c53ef5cb04e30cfb.exe

  • Size

    1.5MB

  • MD5

    12d00d559fe34bc29ae0298f27807496

  • SHA1

    85f78338dadce412bcb9a1f561d95c491d59bcd0

  • SHA256

    e76f448e5df1bb893e3bf541568f0a97c357479b2fe29a59c53ef5cb04e30cfb

  • SHA512

    90d9436d5a3be3de22c516593336b9dfb3a0af7325687f97b503156e6a4610ba3b1d239f5f713bf3f6dd7e376fa071092b319420a6588a8a53555229b98f2e67

  • SSDEEP

    24576:RyHatdiE0bVaKbhC3lsvp64fCkD4r0l0vESPltpPfS2beFNWhKJHF6xjE:E6tab34aB35CBE4ljPdeFNWh+Hcj

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e76f448e5df1bb893e3bf541568f0a97c357479b2fe29a59c53ef5cb04e30cfb.exe
    "C:\Users\Admin\AppData\Local\Temp\e76f448e5df1bb893e3bf541568f0a97c357479b2fe29a59c53ef5cb04e30cfb.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1635472.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1635472.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4796944.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4796944.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8184205.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8184205.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4388
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3998879.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3998879.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4200
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9642202.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9642202.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4560
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1100
                7⤵
                • Program crash
                PID:648
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7002060.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7002060.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:528
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4560 -ip 4560
    1⤵
      PID:4072

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1635472.exe
            Filesize

            1.4MB

            MD5

            50297b7bd4331cb4aa3c3febdd68048c

            SHA1

            07a05240a734a44b35b60352c832fcf5002e9db5

            SHA256

            ab2e04464990ce6f74162eb549ac8c35a84a6f414039a506ab5fe326d036a0cd

            SHA512

            de036738effcfde9cc906e1a7f3793ccb964d2a165045fe2a271304664a8ef1f57e4dc32ec527180cec4d1689fa127e2c72507d84a02bb10aefed9a4971b8162

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4796944.exe
            Filesize

            912KB

            MD5

            74bf728cbdc6aef70295931632f0ac04

            SHA1

            c694d28b3d39b88822453ed8dfc113cdd164b6e6

            SHA256

            8040e51d443a220e5612143e7d6d0df60c0e3cd4972efc890e52e4435b58b44b

            SHA512

            a2761f6173d01a4e434dafd5bc8db5f3bb8c9c5d168e5a1c7b21de30b554def4a409f5660e0808acd6e94d4198a3ef8581f6b055e9cb27603ceb601b06863367

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8184205.exe
            Filesize

            707KB

            MD5

            f8d67b75257d8901a2e72f99cf1d19e0

            SHA1

            bc8c39a6c38a2840b8889ba735444695a76a14cf

            SHA256

            5c4ea94ec69ded5c8017f6b5edb9bd66699c315a3d1218b70806abaed81de0a2

            SHA512

            745606309fb351c7240d01f3db5d17c6a455c7d22625c4fb5d1d03a80566f402e9eb3ee62e48d5cd4c44eddd7904e79a84fe989b3447d5e81b0837641d7aba03

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3998879.exe
            Filesize

            415KB

            MD5

            a18a545fa7222736d1ad270f4ce06a74

            SHA1

            5dd93bb9370cb6958d0c67114c28125ac2ace44c

            SHA256

            34436a063b7c87774e3355ed62d93077d89c8275a6dc6eba657d7a1d5d7cc051

            SHA512

            ee4b3dc5b4fed364a460e961dc14d928603669ebde8f332274b98719bf450a9f960fe248997908427e80a7862fda13ff68934559fb8a83db679e88ff3241f97e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9642202.exe
            Filesize

            361KB

            MD5

            a7432bb32c7c68107cb051b5564f9ab9

            SHA1

            2b9868d17ec3ca785fc8faf0fb24e355b78fe0d3

            SHA256

            f6c70223e73fbc7f4e613b74f80d109d4a25441aae385b95d2726a5bf5b873fa

            SHA512

            813a1593a1ef85dc6c9e34e21aa23decdbe2e3756ae921a95fc90eb288a689d484ef357d44efb6773a121bdee971cbdd8f8e6502fd86b7a1bbf44f7b78a063a5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7002060.exe
            Filesize

            168KB

            MD5

            34a764077c52724c1444cf387b7f73a2

            SHA1

            6b23306422fdcde6a9cd26b5f66283fee5478028

            SHA256

            0c5987935903e2b2d8f47419b72bbcfe554d6ff62bb170361b5751e9104756ef

            SHA512

            e285487c9ae7917fe300b03d77a0f1cdc5baec6794b7702221ea76d2c7fa4fb35aa9493c226b0560a67c2266c9f1009b1941324eab8d494979994f97455fa329

            Download Submit

          • memory/528-78-0x000000000A6B0000-0x000000000A6EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/528-77-0x000000000A650000-0x000000000A662000-memory.dmp

            Filesize

            72KB

            Download

          • memory/528-76-0x000000000A720000-0x000000000A82A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/528-75-0x000000000ABA0000-0x000000000B1B8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/528-74-0x0000000002820000-0x0000000002826000-memory.dmp

            Filesize

            24KB

            Download

          • memory/528-73-0x0000000000770000-0x00000000007A0000-memory.dmp

            Filesize

            192KB

            Download

          • memory/528-79-0x0000000004960000-0x00000000049AC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4560-50-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-39-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-52-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-56-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-48-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-47-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-44-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-42-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-40-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-54-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-67-0x0000000000400000-0x00000000006F4000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4560-69-0x0000000000400000-0x00000000006F4000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4560-58-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-61-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-62-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-66-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-65-0x00000000027C0000-0x00000000027D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4560-38-0x00000000027C0000-0x00000000027D8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4560-37-0x0000000005130000-0x00000000056D4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4560-36-0x0000000002600000-0x000000000261A000-memory.dmp

            Filesize

            104KB

            Download