Overview

overview

10

Static

static

3

e412d2ee25...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e412d2ee25e4f40ddea5c778d25bcad6cf67eb705e56c8cb6a7055e4956f606f.exe

  • Size

    414KB

  • MD5

    12863564382ac3b77f94219c8f51014d

  • SHA1

    c70a36c100d875df8301cdf1801ee52a5521e120

  • SHA256

    e412d2ee25e4f40ddea5c778d25bcad6cf67eb705e56c8cb6a7055e4956f606f

  • SHA512

    0d4c33fb5acd59415592a7eff18ddc275b2690481f95194c082f82c8475325415f3cf59f91daed90b580d462481377cd5ba988057515d8d91430c5cb0b088558

  • SSDEEP

    6144:cHp0yN90QE9AJk72DGFt/oJ8LB7PUvuhUACyyjfEpCVehE5vNOcL:dy90zAK7d62Nz4/tjfCgQWv5L

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e412d2ee25e4f40ddea5c778d25bcad6cf67eb705e56c8cb6a7055e4956f606f.exe
    "C:\Users\Admin\AppData\Local\Temp\e412d2ee25e4f40ddea5c778d25bcad6cf67eb705e56c8cb6a7055e4956f606f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it294852.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it294852.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr200236.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr200236.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it294852.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr200236.exe
    Filesize

    360KB

    MD5

    1223a04ccfcc919c0824e012095f6fa0

    SHA1

    59882ec3be70e9a90b49288ebafb7931a823101d

    SHA256

    48f0ac32c9625a36fe27de27b9064df78430e9ec9c3b49eb957e7199f67f04f3

    SHA512

    8eb98416978afa3be130a7417f2692ca695d7ebedd4c09230069759fed14c7398394ea0f1cfeb4c660ffb9f45145a10b401127fbe1582c8c59146756d3cf4afe

    Download Submit

  • memory/1072-15-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1072-16-0x0000000004840000-0x0000000004886000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1072-17-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1072-18-0x00000000049F0000-0x0000000004A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1072-19-0x0000000007330000-0x00000000078D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1072-20-0x00000000071A0000-0x00000000071DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1072-30-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-32-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-84-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-82-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-81-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-78-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-76-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-74-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-73-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-70-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-68-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-67-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-64-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-62-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-60-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-58-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-56-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-54-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-52-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-50-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-48-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-46-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-42-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-40-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-38-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-36-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-34-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-28-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-24-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-816-0x000000000A490000-0x000000000A4CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1072-815-0x000000000A380000-0x000000000A48A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1072-814-0x00000000072E0000-0x00000000072F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1072-813-0x0000000009D60000-0x000000000A378000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1072-44-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-21-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-26-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-22-0x00000000071A0000-0x00000000071D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1072-817-0x0000000006CD0000-0x0000000006D1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1072-818-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1072-819-0x0000000004840000-0x0000000004886000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1072-821-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4448-7-0x00007FF95A023000-0x00007FF95A025000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4448-8-0x00000000007C0000-0x00000000007CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4448-9-0x00007FF95A023000-0x00007FF95A025000-memory.dmp

    Filesize

    8KB

    Download