Overview

overview

10

Static

static

3

f309f3124c...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f309f3124c3f9c1a8a73b06413b5d8a849026096709dd5ef1ac894cccc05e4c3N.exe

  • Size

    568KB

  • MD5

    c1e00e230e2cfa778c59c9cdf12419d0

  • SHA1

    f6a9181eeba6acdc3dd2692801ad8187e064543b

  • SHA256

    f309f3124c3f9c1a8a73b06413b5d8a849026096709dd5ef1ac894cccc05e4c3

  • SHA512

    a23b7362d0d864fcb6a7983db396fa10087647f771cab03f3fcd6ba6e17b6dc77136a87fc3fdc62dea04c2ebebb4200afbc43538797cfe99589250b44be739ef

  • SSDEEP

    12288:1y90bxCpGQ6/E/TMT7/IwGxGH9zbPVJnAo/:1yaU/sOTq7XRAa

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f309f3124c3f9c1a8a73b06413b5d8a849026096709dd5ef1ac894cccc05e4c3N.exe
    "C:\Users\Admin\AppData\Local\Temp\f309f3124c3f9c1a8a73b06413b5d8a849026096709dd5ef1ac894cccc05e4c3N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSM7092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSM7092.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it654350.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it654350.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4552
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr486565.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr486565.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSM7092.exe
    Filesize

    414KB

    MD5

    f5b8d7385a6b2a6d37ec98382213cefa

    SHA1

    0f2e43c0a2babfb2dfd90d8701ab5db2bf31be26

    SHA256

    0dfcd3bbf21dfbc57f0e24e36cdf1c6480adb03bf56f370a645fe2317b362ad4

    SHA512

    24f4c730bb1874060388c9dd3b683dbb3f9b77f30c747472196bf6c8f2e78f01421d50def0853e3eeb3906c16ca58dc97d45e24e70cd1973fa037167ef18a77e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it654350.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr486565.exe
    Filesize

    359KB

    MD5

    7beb7d475c090c3421f5fba5f66412fc

    SHA1

    76a9cfbec000aa9ba732afbd4d155b45b17c761d

    SHA256

    820082936d89d59ffcddedfc170f5acbaee26d11a6538d64c8045c70aaa2e2bc

    SHA512

    e74df4e133b0117b74c163c37ab5b4fd5aaa69692dc5233b36d6a76ca6230cd6a5229fcce0394365fa52f7b98b6ea33ab2bcf2a0b77e18936663554b6c94a89c

    Download Submit

  • memory/3408-82-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-56-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-821-0x00000000049F0000-0x0000000004A3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3408-22-0x0000000004A80000-0x0000000004ABC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3408-23-0x0000000007280000-0x0000000007824000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3408-24-0x00000000071A0000-0x00000000071DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3408-28-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-36-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-34-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-32-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-30-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-68-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-51-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-46-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-26-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-25-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-89-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-86-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-84-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-817-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3408-76-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-820-0x000000000A480000-0x000000000A4BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3408-78-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-74-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-72-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-70-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-66-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-64-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-62-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-60-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-58-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-80-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-54-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-52-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-49-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-44-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-42-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-40-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-38-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3408-819-0x000000000A360000-0x000000000A46A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3408-818-0x000000000A340000-0x000000000A352000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4552-16-0x00007FFF28853000-0x00007FFF28855000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4552-14-0x00007FFF28853000-0x00007FFF28855000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4552-15-0x0000000000380000-0x000000000038A000-memory.dmp

    Filesize

    40KB

    Download