Overview

overview

10

Static

static

3

ed364a0a5e...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed364a0a5ed2b3d00214914f9bda1f3e393a6b17186b79a9644bfadfb791a950.exe

  • Size

    1.5MB

  • MD5

    acb49e7150e8de6ad028bf9717999d89

  • SHA1

    877004bd51b35668cb1901976c514ab8a1576cca

  • SHA256

    ed364a0a5ed2b3d00214914f9bda1f3e393a6b17186b79a9644bfadfb791a950

  • SHA512

    c52f57cbc7ca69c7b6048c22fccf85c668f5fc5185c8478935b1596fa1fa669f2be24765049db75211364b68aea19397fd52344989677350bf52f05b1cb1fb27

  • SSDEEP

    24576:nyzcH+z3JwCgyAuIW9VPJe+MvTnfZjD1VduzJ0lnWp+RjPs6JfDnVB6Fw:yzcH8Nnhe+onZhVcF0lWpSPsULnV0

Score
10/10
healerredlinedefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed364a0a5ed2b3d00214914f9bda1f3e393a6b17186b79a9644bfadfb791a950.exe
    "C:\Users\Admin\AppData\Local\Temp\ed364a0a5ed2b3d00214914f9bda1f3e393a6b17186b79a9644bfadfb791a950.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki151541.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki151541.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki639301.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki639301.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4732
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki684940.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki684940.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki630022.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki630022.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3888
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az303392.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az303392.exe
              6⤵
              • Modifies Windows Defender DisableAntiSpyware settings
              • Modifies Windows Defender Real-time Protection settings
              • Modifies Windows Defender TamperProtection settings
              • Modifies Windows Defender notification settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4496
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu541062.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu541062.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3936
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:3872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki151541.exe
    Filesize

    1.2MB

    MD5

    e089fe4a9d6d96028ef3dc2dbba6ac58

    SHA1

    a81d011a67cc6e90e5f35222cce64bae56110a3a

    SHA256

    c4e0f4ddc88b3f73acfdb076425c8a0df685f49b7ca731e806a1982361075158

    SHA512

    d706b1ab21f851a9e9f98ea1cd5b4f60a5921df94379e3ca423b3cca3b723f1cbadaf35ff1a16c8edbea8fa04fa780cfcfd9a063a8631a27d9400ec6d5d5575a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki639301.exe
    Filesize

    1.1MB

    MD5

    6e66e9495c002fec13f20d1142e8c3e9

    SHA1

    8e64460abc615681bcecf7f2212fef5b4a5d6639

    SHA256

    d732011f730bbb5fa6a3635ac487ebb0417bbf3a924016d5ac6bd0017d32fb26

    SHA512

    0ab7cb4c49a0207333d5c89dbfa0ddf01c4e086d6941c8e02e1c39a88261cc640c4b449a9c9ad8a1b74d5287670a195fe13bacc4c89374b22206df1c4d99d8d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki684940.exe
    Filesize

    805KB

    MD5

    99d969488ced14e24472733ee50432b4

    SHA1

    0222f2a0772c4b4171f4236c655b530cc5ec8d6f

    SHA256

    dae5667b1ad784f9c50915c3b6457c4145dd306e25804f303c4c5e22bdee30a2

    SHA512

    931402971c2dc60814944ab9478f81b88fcff036146b08dd425806095dd04bdc357dc7c095fc414d46782069c69d0ba3aa9da5b5d25a0e2f9aa516e4952106ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki630022.exe
    Filesize

    468KB

    MD5

    595b6bef1c00e8d2da4029f1b54792a9

    SHA1

    f6f4cf0cae1d6d6bd2b98e0645af98c6058c44da

    SHA256

    e5fc57c5d1989a610f843898f7d61317acc9a29211d9ba466eb331826800ed3c

    SHA512

    dc053586862669626ce502d89a1f4a14753cf5102e67b2d84400accbcc6889271cb3162ec4542edd90b010ad7e86993d515f029eb5088d2d1b52f08e62ed883c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az303392.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu541062.exe
    Filesize

    485KB

    MD5

    386c4bedebb33cbb6513771f4acd6850

    SHA1

    f01f0ad3b877f2f1c625f82372d79a382f5a5cf1

    SHA256

    2b38046aec3016bc70b3b6fd95a2e23cf6b7bb51ec1c017a0195606996697295

    SHA512

    4267d962a100db0cd6a62b15e048c7bfb3133f3663932dc1cbb344575553a5f67b694c1ba5aa08a255af0ff2c51cd450a9c005438b9c00fc3e25aeb67ba4ed0e

    Download Submit

  • memory/3936-79-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-73-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-42-0x0000000004EC0000-0x0000000005464000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3936-43-0x0000000004E20000-0x0000000004E5A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3936-57-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-55-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-107-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-103-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-101-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-99-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-97-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-95-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-93-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-91-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-89-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-87-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-85-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-83-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-840-0x00000000025E0000-0x000000000262C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3936-77-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-75-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-41-0x0000000002900000-0x000000000293C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3936-71-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-69-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-67-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-65-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-63-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-61-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-59-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-53-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-51-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-49-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-105-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-81-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-47-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-45-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-44-0x0000000004E20000-0x0000000004E55000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3936-836-0x00000000078F0000-0x0000000007F08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3936-837-0x0000000007F90000-0x0000000007FA2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3936-838-0x0000000007FB0000-0x00000000080BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3936-839-0x00000000080D0000-0x000000000810C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4496-35-0x0000000000730000-0x000000000073A000-memory.dmp

    Filesize

    40KB

    Download