Overview

overview

10

Static

static

3

589663abea...fd.exe

windows7-x64

10

589663abea...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2023, 20:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    589663abea8108ec363031ffd.exe

  • Size

    784KB

  • MD5

    589663abea8108ec363031ffd154f7f8

  • SHA1

    265348031aa42552591046bab16387cb14e22ce8

  • SHA256

    8186a9fa53725a8f57b0375cd218229780e15553ae3229024ac0ec9e4d6ccee3

  • SHA512

    6be9b5c36cfd26e5c9f8123892bf74347217a1fb1648cae43c894825b779b4f7b03835b8a542a462a79ba51eddce0c33270c0818890c5b6e8f655c8c907bcbff

  • SSDEEP

    24576:NBcgHAvD82gdopERgBw7q4Hl/5g26hUUs:NB5gQ/opEqCbl/5gDs

Score
10/10
healerredlinenormdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.68.70:19073

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Signatures

  • Detects Healer an antivirus disabler dropper 4 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\589663abea8108ec363031ffd.exe
    "C:\Users\Admin\AppData\Local\Temp\589663abea8108ec363031ffd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7993225.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7993225.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8615335.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8615335.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4285211.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4285211.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3312575.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3312575.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1220
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2119938.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2119938.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4872
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6528360.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6528360.exe
          4⤵
          • Executes dropped EXE
          PID:3936

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
          Filesize

          226B

          MD5

          916851e072fbabc4796d8916c5131092

          SHA1

          d48a602229a690c512d5fdaf4c8d77547a88e7a2

          SHA256

          7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

          SHA512

          07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7993225.exe
          Filesize

          518KB

          MD5

          bd1f3fa39b64311b23623de7277b9aba

          SHA1

          0a5b8683d09ac7314eaae0bc14d8eddcee018c77

          SHA256

          0f5bdf737e2e3056c69a9cbd521ef4d830917742165e805244a1cdab10090fb6

          SHA512

          7eaad32fb1adcd3691627b18555d64c40dd5550e8192cef622124f260cda8186d71e917c81a1100898f6c5a3e1577ca0f8a03c8e1e1ae3679ac4d97db2075de6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7993225.exe
          Filesize

          518KB

          MD5

          bd1f3fa39b64311b23623de7277b9aba

          SHA1

          0a5b8683d09ac7314eaae0bc14d8eddcee018c77

          SHA256

          0f5bdf737e2e3056c69a9cbd521ef4d830917742165e805244a1cdab10090fb6

          SHA512

          7eaad32fb1adcd3691627b18555d64c40dd5550e8192cef622124f260cda8186d71e917c81a1100898f6c5a3e1577ca0f8a03c8e1e1ae3679ac4d97db2075de6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8615335.exe
          Filesize

          393KB

          MD5

          38b2bead61a685ccd7b00c71ecb0b49d

          SHA1

          6046dfc1d75c780f3a21da015e3d3a73ffe3bd17

          SHA256

          867fd59b4bef3c1c4af58fabdc3ea685bca5e317f218979bf14872c92344dc3d

          SHA512

          1aa8e83759103a879542589aeb6711cfff1cc2fa2cb8dd76ad287e9090e595c3e69d3ccdd71289dbdbdfb42cfcaa28fb7d745f00ae195c7cd8edd0366a324582

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8615335.exe
          Filesize

          393KB

          MD5

          38b2bead61a685ccd7b00c71ecb0b49d

          SHA1

          6046dfc1d75c780f3a21da015e3d3a73ffe3bd17

          SHA256

          867fd59b4bef3c1c4af58fabdc3ea685bca5e317f218979bf14872c92344dc3d

          SHA512

          1aa8e83759103a879542589aeb6711cfff1cc2fa2cb8dd76ad287e9090e595c3e69d3ccdd71289dbdbdfb42cfcaa28fb7d745f00ae195c7cd8edd0366a324582

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6528360.exe
          Filesize

          255KB

          MD5

          e74afc0f02d55119238fc4f2864ef82a

          SHA1

          200f4bd21af4756ee041ed243406ea4e8abec90f

          SHA256

          ecbf08ea3c9042481d1a3941127eaa733ec09b7f01b66c245858d3cde76c209f

          SHA512

          f5dfb07b3b43a162f12b3e40201c0132252fe59805204b975c7814d5138375d1c90c5055b8ba7e6c66f763cabff4ca3ed001a86c52ed5b7f7c194c4b27258476

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6528360.exe
          Filesize

          255KB

          MD5

          e74afc0f02d55119238fc4f2864ef82a

          SHA1

          200f4bd21af4756ee041ed243406ea4e8abec90f

          SHA256

          ecbf08ea3c9042481d1a3941127eaa733ec09b7f01b66c245858d3cde76c209f

          SHA512

          f5dfb07b3b43a162f12b3e40201c0132252fe59805204b975c7814d5138375d1c90c5055b8ba7e6c66f763cabff4ca3ed001a86c52ed5b7f7c194c4b27258476

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4285211.exe
          Filesize

          195KB

          MD5

          54faec35e5aa37c6176541968dded2e8

          SHA1

          b905a0fc971f9c280373bef9b9d3e478e0e91caa

          SHA256

          7499943f4c7c0286826036154271afad05c620d4e145d212530d580ba2bb9cf9

          SHA512

          40b4149290faf0ac454505827b3a4221ea4391e55206406198daee42cf9f0710d9c83e51c050b1e4ce10e250d751282d4334f221e5d8a9306899563c6cbc233d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4285211.exe
          Filesize

          195KB

          MD5

          54faec35e5aa37c6176541968dded2e8

          SHA1

          b905a0fc971f9c280373bef9b9d3e478e0e91caa

          SHA256

          7499943f4c7c0286826036154271afad05c620d4e145d212530d580ba2bb9cf9

          SHA512

          40b4149290faf0ac454505827b3a4221ea4391e55206406198daee42cf9f0710d9c83e51c050b1e4ce10e250d751282d4334f221e5d8a9306899563c6cbc233d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3312575.exe
          Filesize

          94KB

          MD5

          c4c3fd2ee829367c26b6480de480b9dd

          SHA1

          99a499b57b7e73d609ee58797beaf1409a9db8a7

          SHA256

          aeec8780bdade38ebb5c4c328d20c0efe9f9791682b9c14ff0d233b860f9b312

          SHA512

          a279a22fe7e5758f49c1235900d095dcc13e3280c4350625586d66cfe9e6f9ac5ddf5e28625f4142e67b62a7a4ed2c977d296e410c8e870b8ccb2c2b391999ff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3312575.exe
          Filesize

          94KB

          MD5

          c4c3fd2ee829367c26b6480de480b9dd

          SHA1

          99a499b57b7e73d609ee58797beaf1409a9db8a7

          SHA256

          aeec8780bdade38ebb5c4c328d20c0efe9f9791682b9c14ff0d233b860f9b312

          SHA512

          a279a22fe7e5758f49c1235900d095dcc13e3280c4350625586d66cfe9e6f9ac5ddf5e28625f4142e67b62a7a4ed2c977d296e410c8e870b8ccb2c2b391999ff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2119938.exe
          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2119938.exe
          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

          Download Submit

        • memory/1220-167-0x00000000001F0000-0x00000000001FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1604-133-0x00000000007B0000-0x0000000000864000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3936-181-0x0000000000440000-0x0000000000470000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3936-186-0x0000000009FA0000-0x000000000A5B8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3936-187-0x000000000A610000-0x000000000A71A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3936-188-0x000000000A750000-0x000000000A762000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3936-189-0x000000000A770000-0x000000000A7AC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3936-190-0x0000000002580000-0x0000000002590000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3936-191-0x0000000002580000-0x0000000002590000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4872-176-0x0000000000650000-0x000000000065A000-memory.dmp

          Filesize

          40KB

          Download