Overview

overview

10

Static

static

3

fee2c23776...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fee2c237760097b6770fb4b1ebd6c93e02bb408c054075757f91553809abe3c3.exe

  • Size

    762KB

  • MD5

    731c1b9da616046c4b397d3948838d38

  • SHA1

    00aa9cc61fe97a0007543aaac5618688aeeba11f

  • SHA256

    fee2c237760097b6770fb4b1ebd6c93e02bb408c054075757f91553809abe3c3

  • SHA512

    7d4ae5ae4361ceace0772b872ea9bf68a78c41f2b384e0ab1d4d39596000f5c95ccc3e326dcd98cf118525209ce13d096e90fc6e5fa924d84772ebb53fb7e58f

  • SSDEEP

    12288:Iy90aKeUzw82OB1obc4H3UzMzS2Hlq9s4xK8Owx548X9D2MFNUcwY:Iy8e8w8X1v2//Hlqy4pOO48X/UcwY

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fee2c237760097b6770fb4b1ebd6c93e02bb408c054075757f91553809abe3c3.exe
    "C:\Users\Admin\AppData\Local\Temp\fee2c237760097b6770fb4b1ebd6c93e02bb408c054075757f91553809abe3c3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249346.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249346.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr855650.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr855650.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1080
          4⤵
          • Program crash
          PID:976
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu751984.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu751984.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4892 -ip 4892
    1⤵
      PID:4568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249346.exe
      Filesize

      608KB

      MD5

      6c89db7e984d687fe8612de852dfcd09

      SHA1

      30af7efa5ae13ff1271ceb2fa29596c625f9190b

      SHA256

      72d540cc6f539d16777769039bb1a4844631218392ea0e88b08bb83d5be7d16d

      SHA512

      3cf9814b255b257fa83b14860baff6452e2538da5b8dee774975b88a20f57882def4a4ccd39318f291e96c00981f0e5e7af65f909b79d16ba2122bab876eb120

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr855650.exe
      Filesize

      403KB

      MD5

      8d6f683cc8dffca5c537e6274ea2e65b

      SHA1

      bf680fbbc8ba2ea450a4b22359531e9363acbf4b

      SHA256

      279e28501cc1a531ad6b2bdc556dee291ed8a93324c09c79bcb8fd8e05757775

      SHA512

      8a4bc03b1e518752b57eef8b15bd3bc175ff119b627a37fe42b05f6823829a6a7a53968e2efdaa0e31436987f6639dfac26bad1d9e9b04a1fb4299561f00ae28

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu751984.exe
      Filesize

      485KB

      MD5

      3ab0f83f39c073741f0a955b30e1f215

      SHA1

      d41048df8796bc112d18fb971e14fa997f4e526d

      SHA256

      6fb7537cfb4e5be061f1ddda59fc9aa32cb0cbf8184f1c8410add13f8c24c966

      SHA512

      fb7f8e58f6e048197aea4e606e13737c0d4fbccb57b6ea20252f5a0c3189ee220dfc2f2c059530458299178c1730ad581d729c35bb205e61e4fc6fd6e1704bb3

      Download Submit

    • memory/1776-76-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-80-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-856-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1776-855-0x0000000007990000-0x0000000007FA8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1776-63-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-64-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-68-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-70-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-72-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-74-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-858-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1776-859-0x00000000026D0000-0x000000000271C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1776-78-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-857-0x0000000007FD0000-0x00000000080DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1776-82-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-84-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-86-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-88-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-90-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-92-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-94-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-96-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-66-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1776-62-0x0000000002AB0000-0x0000000002AEA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1776-61-0x00000000028D0000-0x000000000290C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4892-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-55-0x0000000000400000-0x000000000080A000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4892-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4892-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4892-51-0x0000000002340000-0x000000000236D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4892-50-0x00000000008D0000-0x00000000009D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4892-22-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-23-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-21-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4892-20-0x0000000004E50000-0x00000000053F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4892-19-0x0000000002620000-0x000000000263A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4892-18-0x0000000000400000-0x000000000080A000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4892-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4892-16-0x0000000002340000-0x000000000236D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4892-15-0x00000000008D0000-0x00000000009D0000-memory.dmp

      Filesize

      1024KB

      Download