Overview

overview

10

Static

static

3

8431f16d05...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250.exe

  • Size

    568KB

  • MD5

    e782d71bf5e465402dd0f7394e40323a

  • SHA1

    09fb44f06fe2737817e7051caa78fae4322d6fe8

  • SHA256

    8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250

  • SHA512

    ace7115e0f0835aa4c190a5da9bce7c36c0966df24e3c63d3ebe98529f9a0b0515a0692edc8bfa33ecc5e74bb460ad798174e1aa1bedd68f51fde6eb585c0fb3

  • SSDEEP

    12288:Gy90kqGAsSxaS03SG+w16aKFjHOOQdzuj31kY:GyG3zn0iG+cKFjoZg31kY

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250.exe
    "C:\Users\Admin\AppData\Local\Temp\8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieG0341.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieG0341.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it810497.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it810497.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr418111.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr418111.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieG0341.exe
    Filesize

    415KB

    MD5

    11930606bd07ade55a7eb03cb937596c

    SHA1

    f92afed47572c608aa820a2c5bff63229d71b520

    SHA256

    3e7220096d061e32eb4c8f827f73af5f17ea51ff91d04fd4113407b1e4c7ef2b

    SHA512

    c104dfd204ef451c96e451fce854382c7a0bc5bec739540af5e9468762efd9ed74fc81338d48359fc2e7634914f84b1fdcc34f7b87a5c9a9a4dd6c4566d8a10b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it810497.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr418111.exe
    Filesize

    360KB

    MD5

    dc0216b02fad42b350a2d3f9eac14e91

    SHA1

    6c936d3061451a17246c1ce5471c970ef4e88c8d

    SHA256

    db938c3978293383c694d62b7a03cc26e8567440e1922cd0fbacbd0af4ddd8fb

    SHA512

    a240eb985ac5abb739e345aa56da69e1e5e59c41ceea9992071c6f70bb1d884c0a9209d549eee5c93f82a1f71ea2f81986a3572b3dad2bf75d17c31fb9490ec9

    Download Submit

  • memory/1932-14-0x00007FFA494B3000-0x00007FFA494B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1932-15-0x00000000004D0000-0x00000000004DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1932-16-0x00007FFA494B3000-0x00007FFA494B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2836-62-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-48-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-24-0x00000000072F0000-0x000000000732A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2836-25-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-74-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-89-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-86-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-84-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-82-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-80-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-78-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-76-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-72-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-70-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-68-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-66-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-22-0x0000000004C20000-0x0000000004C5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2836-60-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-58-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-56-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-52-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-23-0x0000000007460000-0x0000000007A04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2836-46-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-44-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-42-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-38-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-36-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-35-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-30-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-64-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-54-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-50-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-40-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-32-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-28-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-26-0x00000000072F0000-0x0000000007325000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2836-817-0x0000000009E90000-0x000000000A4A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2836-818-0x0000000007420000-0x0000000007432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2836-819-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2836-820-0x000000000A5C0000-0x000000000A5FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2836-821-0x0000000006E20000-0x0000000006E6C000-memory.dmp

    Filesize

    304KB

    Download