Overview

overview

10

Static

static

3

387edd9ae9...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    387edd9ae9f82f00535d61ffb4dd404b41a0ff54e21fa41dbe4e2b3a4a597b7dN.exe

  • Size

    806KB

  • MD5

    2fe226eb65b58fd6167f3a10068fd000

  • SHA1

    39a28f119a4ca044791ebc33210d7f086e703e01

  • SHA256

    387edd9ae9f82f00535d61ffb4dd404b41a0ff54e21fa41dbe4e2b3a4a597b7d

  • SHA512

    4a7842ee2c6646bc745eae944352f3d31470d80aa97a39258e82c390fce5566d34171d231d54805458617f9e8c6241a25a1bcf9d853c2ae872102c1098f08fa7

  • SSDEEP

    12288:Yy900qb+mAJXeL87P79lG5ubtCgVCRH8ZrjLd+dWUp3B94Ob5zmi+pcjMtsqx:YyWbn3Q7PyK4gOctk8QZ58pdtpx

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\387edd9ae9f82f00535d61ffb4dd404b41a0ff54e21fa41dbe4e2b3a4a597b7dN.exe
    "C:\Users\Admin\AppData\Local\Temp\387edd9ae9f82f00535d61ffb4dd404b41a0ff54e21fa41dbe4e2b3a4a597b7dN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki475644.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki475644.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az071455.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az071455.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu946463.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu946463.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki475644.exe
    Filesize

    470KB

    MD5

    da9406b2c1c93390b9be3e50e47ca9a4

    SHA1

    14f25caf3b1e862f7839d98be23295ffd91c2990

    SHA256

    6815b650198dfa74666301aa16344eb669cbbb70c05970bdcd791ce4e385ed30

    SHA512

    ad86b182b095c90133489093eb329f0c5c942188b83dcf9c5c3d99c4d832be691fa180a3fa9a6ca2ae4d6cb9297cf8750a7e4134bca275616d79c58cb4616a4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az071455.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu946463.exe
    Filesize

    486KB

    MD5

    5ebc9b734b8f247e6aea2f88540a2d8b

    SHA1

    88646815f17aa704b69b285d7a10567b8f521b9b

    SHA256

    8067eda4ebf8947162b75e05396d52a6a8188b427b943fd87223009f948c71d4

    SHA512

    b3286e67c3c069f48435cb3473045bdec60e3dc2711d2cd3cf2bd6007a5c7dd64fb66f01fe0abf8ff317c05ef802ee9d517706fed65bc44fdb19114d7fb33003

    Download Submit

  • memory/1948-14-0x00007FFE63BE3000-0x00007FFE63BE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-15-0x00000000008F0000-0x00000000008FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1948-16-0x00007FFE63BE3000-0x00007FFE63BE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3128-64-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-52-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-24-0x00000000028B0000-0x00000000028EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3128-36-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-38-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-88-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-86-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-84-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-82-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-78-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-76-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-74-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-72-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-70-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-68-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-66-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-22-0x0000000002790000-0x00000000027CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3128-62-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-58-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-56-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-55-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-23-0x00000000050E0000-0x0000000005684000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3128-50-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-48-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-46-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-44-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-42-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-40-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-34-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-32-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-30-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-28-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-80-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-60-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-26-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-25-0x00000000028B0000-0x00000000028E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3128-817-0x0000000007A10000-0x0000000008028000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3128-818-0x0000000002AF0000-0x0000000002B02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3128-819-0x0000000008030000-0x000000000813A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3128-820-0x0000000005070000-0x00000000050AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3128-821-0x0000000002680000-0x00000000026CC000-memory.dmp

    Filesize

    304KB

    Download