Overview

overview

10

Static

static

3

3a709d995a...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a709d995a745e3dbb2fa6c8b21dfd4db934e992b2e491c77b31a339b45188ae.exe

  • Size

    708KB

  • MD5

    6b230639ba3b916f3f3b67f8191ede02

  • SHA1

    9706fa122f6d94814c3c91b4b529cd3fdca1f367

  • SHA256

    3a709d995a745e3dbb2fa6c8b21dfd4db934e992b2e491c77b31a339b45188ae

  • SHA512

    a9176d18d3c3aac09a386eb6a78b2dd534ad71fe86ecef6e53cce33cd5806bf39ddf1cfd6690f21555f0f095410a7f72b9cb48c4f9c195e81f1a11fb2ea8570c

  • SSDEEP

    12288:Fy90saboV+K4wTBBbohZZYUw5qSi6uKXtusncIsAye2xQj:FyjV+KlTfbOnYpqSFNnCAR2xE

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a709d995a745e3dbb2fa6c8b21dfd4db934e992b2e491c77b31a339b45188ae.exe
    "C:\Users\Admin\AppData\Local\Temp\3a709d995a745e3dbb2fa6c8b21dfd4db934e992b2e491c77b31a339b45188ae.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un108784.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un108784.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr846938.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr846938.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:368
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1080
          4⤵
          • Program crash
          PID:4928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu950815.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu950815.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 368 -ip 368
    1⤵
      PID:2004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un108784.exe
      Filesize

      554KB

      MD5

      3a5d6a54e81e63506c190845092b9260

      SHA1

      ef46adfbb9ef511566b35408061e7a60b0b23db2

      SHA256

      017d87660477d503ec7b958a4cbf4f52b07507bbdbffd66a474d120b6897378f

      SHA512

      20513c86a511ef3f777dd4605a49076ef8e26f5b6b856331693524ec45c5c5c9a9784ae7b21c558c1f23d57136ec18a3bd16588167d6792d50165eb19ed4b1d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr846938.exe
      Filesize

      278KB

      MD5

      829060537d91dc2918c544cf16ba653b

      SHA1

      43e69c6507b9b445cc3c2957196fdaef3a13812f

      SHA256

      0ea71555480c4ebdf246532f88e9f6614811a05e39e5c473b8ed4dfbdc2f8945

      SHA512

      256a8afbc33db314509ee44339bcebd13cf779bc15293bc26a0bbce461a762dab24458029d7733e376bb17de75ee28269fc0c9e31c63c2295a409b465e01b425

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu950815.exe
      Filesize

      360KB

      MD5

      0a05aa7284a37ee0e7565603ac8b7204

      SHA1

      5f25a12d3c73e103423745389d9582343a74d8de

      SHA256

      db2ece9889cb787503b3b638491889f66797a23bc7d8beec4f1eaeda5acb9328

      SHA512

      5f204dc009ba04f8d8acfde14c0891442d72af247b8edfc2e623b98294f6968bc9fa9ef7dd3563eb3686ef168b7c35dafe4f81578ad9a5f907bf45287ceeb122

      Download Submit

    • memory/368-15-0x0000000002C10000-0x0000000002D10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/368-16-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/368-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/368-18-0x0000000004C70000-0x0000000004C8A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/368-19-0x0000000007120000-0x00000000076C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/368-20-0x00000000076F0000-0x0000000007708000-memory.dmp

      Filesize

      96KB

      Download

    • memory/368-48-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-46-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-44-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-42-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-40-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-38-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-36-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-34-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-32-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-30-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-28-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-26-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-24-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-22-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-21-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/368-49-0x0000000002C10000-0x0000000002D10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/368-51-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/368-50-0x0000000000400000-0x0000000002B9F000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/368-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/368-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/368-54-0x0000000000400000-0x0000000002B9F000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/4436-60-0x00000000049B0000-0x00000000049EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4436-61-0x0000000004C30000-0x0000000004C6A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4436-73-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-75-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-95-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-93-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-91-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-89-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-88-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-83-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-81-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-79-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-77-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-71-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-69-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-67-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-85-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-65-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-63-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-62-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4436-854-0x0000000009E00000-0x000000000A418000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4436-855-0x00000000072E0000-0x00000000072F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4436-856-0x000000000A420000-0x000000000A52A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4436-857-0x0000000007310000-0x000000000734C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4436-858-0x0000000004A10000-0x0000000004A5C000-memory.dmp

      Filesize

      304KB

      Download