Overview

overview

10

Static

static

3

9be49b4740...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9be49b4740b9bd38d51d19ea7651067c28199c17aa1c794df1a79fb94bca7d21.exe

  • Size

    644KB

  • MD5

    fc66e0e35830c3a85f12ddfe1340d2c3

  • SHA1

    b20cef411211f78d5b8e3f313eb997a6036fc9ff

  • SHA256

    9be49b4740b9bd38d51d19ea7651067c28199c17aa1c794df1a79fb94bca7d21

  • SHA512

    334a7a3aa66df77e803478d458292a27dcec9fa1c1964e9db1eb47977f12bb83fcca74eff421c8cc93166882085307f380c1c41455d6eb58ddda1700411eedb9

  • SSDEEP

    12288:Ly90Ndpq7kaulJFpSNKBHZqkteDhZJv3QuZRvuGdx0iSHe7Fmmu0okM:Ly0dp6XK1JkvhfvB9Dune7Fe0okM

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9be49b4740b9bd38d51d19ea7651067c28199c17aa1c794df1a79fb94bca7d21.exe
    "C:\Users\Admin\AppData\Local\Temp\9be49b4740b9bd38d51d19ea7651067c28199c17aa1c794df1a79fb94bca7d21.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st955557.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st955557.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51454482.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51454482.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp358440.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp358440.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st955557.exe
    Filesize

    489KB

    MD5

    7bf547c552b30b1bc043188808096244

    SHA1

    d7857f8e4603957bec56bd236599007530eb337f

    SHA256

    288c6a0d43ee3609416d647336fb445c03236b6bd8cbee32285d81fa0b7217bf

    SHA512

    5294500e88abd6716d00b7de951a596349c1395319c4edafffbee14b988335ce29c4db4890d8108cb2ab6330dbfde1ce2bbd4731ac77391a765acf10e5502273

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51454482.exe
    Filesize

    175KB

    MD5

    3d10b67208452d7a91d7bd7066067676

    SHA1

    e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

    SHA256

    5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

    SHA512

    b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp358440.exe
    Filesize

    348KB

    MD5

    cfe01aacee1ff63e618a94379c2f6676

    SHA1

    849ed745c53bb94f07215851c275820d8fcde852

    SHA256

    b7c5bbae42d9936aca67f8d314e508668fa0eb448a826fa799ab6bc9afa5986f

    SHA512

    c48331bdc809a9c1db3a2cf2f3871fcb120cf4df68992060b077aee089262e991b8e6d9f5d68b0661c82521305c3bfd2ae0efc02f5ff7b229c4d7cd6a8b4c99f

    Download Submit

  • memory/1108-71-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-63-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-56-0x0000000004C60000-0x0000000004C9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1108-854-0x0000000006CE0000-0x0000000006D2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1108-57-0x00000000071F0000-0x000000000722A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1108-853-0x000000000A480000-0x000000000A4BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1108-852-0x000000000A360000-0x000000000A46A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1108-851-0x000000000A340000-0x000000000A352000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1108-850-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1108-61-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-58-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-85-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-89-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-93-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-65-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-59-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-67-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-69-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-73-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-75-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-77-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-79-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-81-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-83-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-87-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1108-91-0x00000000071F0000-0x0000000007225000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5080-31-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-27-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-19-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5080-17-0x00000000049B0000-0x0000000004F54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5080-15-0x0000000002240000-0x000000000225A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5080-51-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5080-49-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5080-48-0x000000007407E000-0x000000007407F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5080-20-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-21-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-14-0x000000007407E000-0x000000007407F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5080-23-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-25-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-29-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-16-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5080-33-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-35-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-37-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-39-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-41-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-43-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-45-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-47-0x0000000004F60000-0x0000000004F73000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5080-18-0x0000000004F60000-0x0000000004F78000-memory.dmp

    Filesize

    96KB

    Download