Overview

overview

10

Static

static

3

8431f16d05...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250.exe

  • Size

    568KB

  • MD5

    e782d71bf5e465402dd0f7394e40323a

  • SHA1

    09fb44f06fe2737817e7051caa78fae4322d6fe8

  • SHA256

    8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250

  • SHA512

    ace7115e0f0835aa4c190a5da9bce7c36c0966df24e3c63d3ebe98529f9a0b0515a0692edc8bfa33ecc5e74bb460ad798174e1aa1bedd68f51fde6eb585c0fb3

  • SSDEEP

    12288:Gy90kqGAsSxaS03SG+w16aKFjHOOQdzuj31kY:GyG3zn0iG+cKFjoZg31kY

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250.exe
    "C:\Users\Admin\AppData\Local\Temp\8431f16d05c9b5523a46acbed844ba1c42ed1615eed7db6221d529e8f5abe250.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieG0341.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieG0341.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it810497.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it810497.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr418111.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr418111.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieG0341.exe
    Filesize

    415KB

    MD5

    11930606bd07ade55a7eb03cb937596c

    SHA1

    f92afed47572c608aa820a2c5bff63229d71b520

    SHA256

    3e7220096d061e32eb4c8f827f73af5f17ea51ff91d04fd4113407b1e4c7ef2b

    SHA512

    c104dfd204ef451c96e451fce854382c7a0bc5bec739540af5e9468762efd9ed74fc81338d48359fc2e7634914f84b1fdcc34f7b87a5c9a9a4dd6c4566d8a10b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it810497.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr418111.exe
    Filesize

    360KB

    MD5

    dc0216b02fad42b350a2d3f9eac14e91

    SHA1

    6c936d3061451a17246c1ce5471c970ef4e88c8d

    SHA256

    db938c3978293383c694d62b7a03cc26e8567440e1922cd0fbacbd0af4ddd8fb

    SHA512

    a240eb985ac5abb739e345aa56da69e1e5e59c41ceea9992071c6f70bb1d884c0a9209d549eee5c93f82a1f71ea2f81986a3572b3dad2bf75d17c31fb9490ec9

    Download Submit

  • memory/1408-72-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-22-0x0000000004C30000-0x0000000004C6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1408-23-0x00000000072D0000-0x0000000007874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1408-68-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-24-0x00000000071D0000-0x000000000720A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1408-36-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-88-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-86-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-84-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-82-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-70-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-818-0x000000000A340000-0x000000000A352000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1408-66-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-817-0x0000000009D00000-0x000000000A318000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1408-821-0x0000000006D00000-0x0000000006D4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1408-80-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-78-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-76-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-74-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-25-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-819-0x000000000A360000-0x000000000A46A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1408-26-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-820-0x000000000A480000-0x000000000A4BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1408-64-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-62-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-60-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-58-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-56-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-54-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-52-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-50-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-48-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-46-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-44-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-42-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-40-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-38-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-34-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-32-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-30-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1408-28-0x00000000071D0000-0x0000000007205000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1448-16-0x00007FFFFE253000-0x00007FFFFE255000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1448-15-0x0000000000690000-0x000000000069A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1448-14-0x00007FFFFE253000-0x00007FFFFE255000-memory.dmp

    Filesize

    8KB

    Download