Overview

overview

10

Static

static

3

606af681a6...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    606af681a6b329d7b6d60e2bb94cc2f38f57af9e862bce4a3486ea9283acb691.exe

  • Size

    415KB

  • MD5

    b84ba5cf15fd35a8c36ce34cfef1a332

  • SHA1

    a0c7caa7bfb671bb221a5d58b2f1b0c16aa015c4

  • SHA256

    606af681a6b329d7b6d60e2bb94cc2f38f57af9e862bce4a3486ea9283acb691

  • SHA512

    7f62c2f9b9099a89ca8002b34f3ac097e5f5923411d37f2ca717867513eb48ea3b70f0b4062cb3139b109a6f0c1ee04db78f6112d2f3f107d67d941d2ab4672d

  • SSDEEP

    6144:nOp0yN90QE1gYXhBLqXYGIwcNTObXmLlg312qBDDqxlhzjg+W/zS8KxlVVth45h4:Py90IYxB2X6Nw0lqxWhgFhKxREVU

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\606af681a6b329d7b6d60e2bb94cc2f38f57af9e862bce4a3486ea9283acb691.exe
    "C:\Users\Admin\AppData\Local\Temp\606af681a6b329d7b6d60e2bb94cc2f38f57af9e862bce4a3486ea9283acb691.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it543169.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it543169.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr819089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr819089.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it543169.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr819089.exe
    Filesize

    360KB

    MD5

    fdf1a8ce80927eb7493ee3fd1f44d92f

    SHA1

    5b024d5aa5cdc5d252bedf1af90f9f2742926279

    SHA256

    d8b4fb294eb8d9655f587551008dc3b0eca23f7f6b4e467368a8e52e47df5c08

    SHA512

    8b67b27dfdf7e1aee4fb14fe158672450a32caca56de64305c0af85222314c83868d0069b41361d393e6351bf329615c8cfc0a90cc1d96b17ac9b9cf0a80fbe3

    Download Submit

  • memory/2632-15-0x0000000002D80000-0x0000000002E80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2632-16-0x0000000002D30000-0x0000000002D76000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2632-17-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2632-18-0x0000000007300000-0x00000000078A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2632-19-0x00000000071D0000-0x000000000720A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2632-25-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-61-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-83-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-81-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-79-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-77-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-75-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-71-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-69-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-67-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-65-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-63-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-59-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-57-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-56-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-53-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-51-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-49-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-47-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-43-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-41-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-39-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-37-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-35-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-33-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-31-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-29-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-73-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-27-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-45-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-23-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-21-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-20-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2632-812-0x0000000009D30000-0x000000000A348000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2632-813-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2632-814-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2632-815-0x000000000A480000-0x000000000A4BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2632-816-0x0000000004990000-0x00000000049DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2632-817-0x0000000002D80000-0x0000000002E80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2632-819-0x0000000002D30000-0x0000000002D76000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3188-7-0x00007FFFF2FD3000-0x00007FFFF2FD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3188-8-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3188-9-0x00007FFFF2FD3000-0x00007FFFF2FD5000-memory.dmp

    Filesize

    8KB

    Download