Overview

overview

10

Static

static

3

f2739a2887...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 09:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2739a2887c473b9c0d85d16f5abff7a3d10321471326b9ab59a11f39bdd7aa5N.exe

  • Size

    767KB

  • MD5

    446204a6417c6fcca323c3a21fb86850

  • SHA1

    ff885b0ca1f6e613960e2110dac11aea16d22f17

  • SHA256

    f2739a2887c473b9c0d85d16f5abff7a3d10321471326b9ab59a11f39bdd7aa5

  • SHA512

    cdfd616c1f7bd7d217b7d21c89a6bf2896bd44002c4c961f58ce1e8a7e54e4f12c21aa0624862f5a642a2d33e8315fd81eafb471d7a09602338a86d61fa3fcad

  • SSDEEP

    12288:Ry90kyWn9YR7iUFLvvYtpjl+5ovp4XXGsEFyK6ub268FwNUL1Q:RyPd9YR2U1Qt9PaXWNDswNUZQ

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2739a2887c473b9c0d85d16f5abff7a3d10321471326b9ab59a11f39bdd7aa5N.exe
    "C:\Users\Admin\AppData\Local\Temp\f2739a2887c473b9c0d85d16f5abff7a3d10321471326b9ab59a11f39bdd7aa5N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un345087.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un345087.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr324986.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr324986.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu106121.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu106121.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un345087.exe
    Filesize

    613KB

    MD5

    a37ccb016518c93257e5683f9963efe6

    SHA1

    53109d007adce116b2ab8b652eb26001d0b60ca2

    SHA256

    71c69acf8038b2ae903b220cac71039fcf0e250e50e641aa1cf85dc4dcb87b36

    SHA512

    0913cc574725410dbb8756c028f9597a3482f2e9aae81f9b82872424303bf84f5e16ad41b28bb529d32fbb1af1ac4703f390d73ca84a72f56479326754384286

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr324986.exe
    Filesize

    404KB

    MD5

    5ffa890dd8f014333e2127c37a6d41fe

    SHA1

    a7dcd3363a31c13d3ae139512b01832295cdc49e

    SHA256

    f705e8b123c71ba8c883d8fa39c9f17e55677286c83c4934d9af7d126e9abac2

    SHA512

    ee28b43ebace407595959c1e13819907f1e27cad10bfe05748fe13ae4cb1d7d1cdcfa7d26cdaa597cf91740d0a1e0f80a510ca4b360e1aa33b4e074281cc2b27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu106121.exe
    Filesize

    485KB

    MD5

    fbcb84017374fbaa1d5f5e4fe0b48e25

    SHA1

    9c83b52813aa0f55fd427e9f8379c538bd8bf904

    SHA256

    781036fc76c1e1b2a56add39940b605999489d22b308ee15e4f2d3ffe2fc3e0f

    SHA512

    96d89fe7b332ab9825926a98de6dc10a7d815e069c09cde6e36764081761412b2813b4b1280f96bf9d92658974b8b89e07068e14b1f65cc5fa47db7017d4f6ed

    Download Submit

  • memory/1588-79-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-85-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-855-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-854-0x0000000007900000-0x0000000007F18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1588-93-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-69-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-71-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-73-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-75-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-77-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-857-0x0000000008120000-0x000000000815C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1588-858-0x0000000004910000-0x000000000495C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1588-83-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-856-0x0000000007FC0000-0x00000000080CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1588-87-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-89-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-91-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-95-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-81-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-62-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-63-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-65-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-67-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1588-61-0x0000000004E20000-0x0000000004E5A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1588-60-0x0000000002830000-0x000000000286C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2444-43-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-55-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2444-54-0x0000000000400000-0x000000000080A000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2444-51-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2444-50-0x0000000000830000-0x0000000000930000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2444-22-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-28-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-31-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-41-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-25-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-29-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-33-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-36-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-37-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-39-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-23-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-45-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-47-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-49-0x0000000002910000-0x0000000002922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-20-0x0000000004F50000-0x00000000054F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2444-21-0x0000000002910000-0x0000000002928000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2444-19-0x00000000026B0000-0x00000000026CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2444-18-0x0000000000400000-0x000000000080A000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2444-17-0x0000000000400000-0x000000000080A000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2444-15-0x0000000000830000-0x0000000000930000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2444-16-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download