Overview

overview

10

Static

static

3

be81a27c72...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be81a27c72bc53b07769dca709535b2bd090062c2ba6a6364c473b21a754f484.exe

  • Size

    568KB

  • MD5

    390fdbe6132a241f23ec6cb32a966d8e

  • SHA1

    5ee957da19ec2d9e7fb59631d60aeb5a93fb08b0

  • SHA256

    be81a27c72bc53b07769dca709535b2bd090062c2ba6a6364c473b21a754f484

  • SHA512

    21d7cce293ed54564d47f28cfe13860a2dcd2ae0b01a6f002a9deff2611712fce5ee64f16e65c486b43731e0a13dad43c0de8889c397482f998224a39709bb56

  • SSDEEP

    12288:1y90bxCpGQ6/E/TMT7/IwGxGH9zbPVJnAo/H:1yaU/sOTq7XRAaH

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be81a27c72bc53b07769dca709535b2bd090062c2ba6a6364c473b21a754f484.exe
    "C:\Users\Admin\AppData\Local\Temp\be81a27c72bc53b07769dca709535b2bd090062c2ba6a6364c473b21a754f484.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSM7092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSM7092.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it654350.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it654350.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr486565.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr486565.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSM7092.exe
    Filesize

    414KB

    MD5

    f5b8d7385a6b2a6d37ec98382213cefa

    SHA1

    0f2e43c0a2babfb2dfd90d8701ab5db2bf31be26

    SHA256

    0dfcd3bbf21dfbc57f0e24e36cdf1c6480adb03bf56f370a645fe2317b362ad4

    SHA512

    24f4c730bb1874060388c9dd3b683dbb3f9b77f30c747472196bf6c8f2e78f01421d50def0853e3eeb3906c16ca58dc97d45e24e70cd1973fa037167ef18a77e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it654350.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr486565.exe
    Filesize

    359KB

    MD5

    7beb7d475c090c3421f5fba5f66412fc

    SHA1

    76a9cfbec000aa9ba732afbd4d155b45b17c761d

    SHA256

    820082936d89d59ffcddedfc170f5acbaee26d11a6538d64c8045c70aaa2e2bc

    SHA512

    e74df4e133b0117b74c163c37ab5b4fd5aaa69692dc5233b36d6a76ca6230cd6a5229fcce0394365fa52f7b98b6ea33ab2bcf2a0b77e18936663554b6c94a89c

    Download Submit

  • memory/3896-57-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-22-0x0000000007200000-0x00000000077A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3896-21-0x0000000004B50000-0x0000000004B8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3896-54-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-23-0x00000000077B0000-0x00000000077EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3896-27-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-35-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-85-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-83-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-82-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-79-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-77-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-75-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-71-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-69-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-51-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-65-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-63-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-61-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-820-0x0000000006D30000-0x0000000006D7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3896-816-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3896-55-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-67-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-49-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-47-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-45-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-43-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-41-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-39-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-37-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-33-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-31-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-29-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-87-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-73-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-59-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-25-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-24-0x00000000077B0000-0x00000000077E5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3896-817-0x000000000A340000-0x000000000A352000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3896-818-0x000000000A360000-0x000000000A46A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3896-819-0x000000000A480000-0x000000000A4BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4884-14-0x00007FF95A023000-0x00007FF95A025000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4884-15-0x0000000000940000-0x000000000094A000-memory.dmp

    Filesize

    40KB

    Download