Overview

overview

10

Static

static

3

2e88144163...b0.exe

windows7-x64

10

2e88144163...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2023, 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e88144163915f2e62a5ad9b0.exe

  • Size

    791KB

  • MD5

    2e88144163915f2e62a5ad9b05d1e0e5

  • SHA1

    1f23787d31bbd8b2cc5a5fbeeadea1688e09502c

  • SHA256

    9fb2817fe1508ac672701e6733dbbd930f6c87e641ea8686ed874ba25a86a451

  • SHA512

    cbbb1df2e1afc8b3c25b2fd8ca49e6dffc56fe2059214c9db7001c85bf0bd8fcc05385d92213535e8134e6c39044be490320aef624f43c13b72bf576ee0f8623

  • SSDEEP

    12288:D/48fvjaRdnQgtS/nQ/e4TFHE4Zi0OPadQbVCJZoeyVgQlgDc4SzfvR2FN1G:D/4Wvj82gtgz4hk4Z/ObWu0A/x2M

Score
10/10
healerredlinenormdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.68.70:19073

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Signatures

  • Detects Healer an antivirus disabler dropper 4 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e88144163915f2e62a5ad9b0.exe
    "C:\Users\Admin\AppData\Local\Temp\2e88144163915f2e62a5ad9b0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164498.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164498.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5783051.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5783051.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6682303.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6682303.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7156130.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7156130.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2840
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4258095.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4258095.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1232
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8402628.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8402628.exe
          4⤵
          • Executes dropped EXE
          PID:3160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164498.exe
    Filesize

    522KB

    MD5

    4ad904e4249ba957b76394c687136e0b

    SHA1

    b8d632b1f8656aef1ce6cf389384dd7760e6b6fc

    SHA256

    95d3db4d4c2e102e813455406b2c3a5cd277f3ab02744462832556e6c1406293

    SHA512

    fb2eaf6176ea5565cff570c3c04b28be4f21ab702c034b1f6da10642099fa23928d32d0b499f05baf06fbecc69d7ccd4eec2d013cf15db070ab38cddc984d782

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164498.exe
    Filesize

    522KB

    MD5

    4ad904e4249ba957b76394c687136e0b

    SHA1

    b8d632b1f8656aef1ce6cf389384dd7760e6b6fc

    SHA256

    95d3db4d4c2e102e813455406b2c3a5cd277f3ab02744462832556e6c1406293

    SHA512

    fb2eaf6176ea5565cff570c3c04b28be4f21ab702c034b1f6da10642099fa23928d32d0b499f05baf06fbecc69d7ccd4eec2d013cf15db070ab38cddc984d782

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5783051.exe
    Filesize

    397KB

    MD5

    b0b989799a1f4df95d976d795c524db2

    SHA1

    2672db6069f871aee3fd49e3ee331f13bcd21523

    SHA256

    283a898e75ad263b7e04a23df01d3ebefea7c1ac6942bd46eace75749e33c782

    SHA512

    bdb795d7941b8ef866d5de69cf5f0f8d642f01b992b42dcedc3b78132d46259f1cc0e4cc619d0407de2bc854211b1251aa7b1078b7cb462808d1222a7145ada6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5783051.exe
    Filesize

    397KB

    MD5

    b0b989799a1f4df95d976d795c524db2

    SHA1

    2672db6069f871aee3fd49e3ee331f13bcd21523

    SHA256

    283a898e75ad263b7e04a23df01d3ebefea7c1ac6942bd46eace75749e33c782

    SHA512

    bdb795d7941b8ef866d5de69cf5f0f8d642f01b992b42dcedc3b78132d46259f1cc0e4cc619d0407de2bc854211b1251aa7b1078b7cb462808d1222a7145ada6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8402628.exe
    Filesize

    258KB

    MD5

    0d85ff34516aee59f4ae23476d117c0f

    SHA1

    c129060ffddcc2d262ffe3d7c02c22febb834e6c

    SHA256

    b68055c15315dacca7e51ddbbdcebc908176f0d18185bedd0664f7b0b52f2fd7

    SHA512

    e918fcd0ea9519b9f2e3cbb5918797498a058269820ce35a7658d311ec5d74e77d18d344c808a5f2c4a21d37787f405ba81925db08fc5f41b1459b4cf9258ebc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8402628.exe
    Filesize

    258KB

    MD5

    0d85ff34516aee59f4ae23476d117c0f

    SHA1

    c129060ffddcc2d262ffe3d7c02c22febb834e6c

    SHA256

    b68055c15315dacca7e51ddbbdcebc908176f0d18185bedd0664f7b0b52f2fd7

    SHA512

    e918fcd0ea9519b9f2e3cbb5918797498a058269820ce35a7658d311ec5d74e77d18d344c808a5f2c4a21d37787f405ba81925db08fc5f41b1459b4cf9258ebc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6682303.exe
    Filesize

    197KB

    MD5

    54261d3bb4f2a1103070e39c05413718

    SHA1

    3eb395c8a83f062a179fcaac437a8aaffe98c8a0

    SHA256

    de0224b705cd8ddf33bcc9386db8ea890279a7267079bde17eac734f5c74ee07

    SHA512

    bbb14bc348a04981c9111ff37210034c880d9ce32f4cb66bc97099df22ef7e2cc0d65a5ba71f2e572f32a33aa1c08105b2aca900bc96a79e3efe450ded05afc9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6682303.exe
    Filesize

    197KB

    MD5

    54261d3bb4f2a1103070e39c05413718

    SHA1

    3eb395c8a83f062a179fcaac437a8aaffe98c8a0

    SHA256

    de0224b705cd8ddf33bcc9386db8ea890279a7267079bde17eac734f5c74ee07

    SHA512

    bbb14bc348a04981c9111ff37210034c880d9ce32f4cb66bc97099df22ef7e2cc0d65a5ba71f2e572f32a33aa1c08105b2aca900bc96a79e3efe450ded05afc9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7156130.exe
    Filesize

    96KB

    MD5

    c4eb36fa9a3985f3365c1d72c2203597

    SHA1

    cd310bbe01530ac5cbdb9846226b34682cf90211

    SHA256

    4829458dd7e6e0c57b92d76e0b8f1e63cbf9e1766831baf81f44e3e6ace7f26f

    SHA512

    4728ff3a7d4fa9580208e908523d51ee6cbf346d87f6830cba3b9691c151d09feb76bc01a173e6b4b405c55fb7ba6ce8d737162df7e7e45983b9450b6062b461

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7156130.exe
    Filesize

    96KB

    MD5

    c4eb36fa9a3985f3365c1d72c2203597

    SHA1

    cd310bbe01530ac5cbdb9846226b34682cf90211

    SHA256

    4829458dd7e6e0c57b92d76e0b8f1e63cbf9e1766831baf81f44e3e6ace7f26f

    SHA512

    4728ff3a7d4fa9580208e908523d51ee6cbf346d87f6830cba3b9691c151d09feb76bc01a173e6b4b405c55fb7ba6ce8d737162df7e7e45983b9450b6062b461

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4258095.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4258095.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/1232-176-0x0000000000F30000-0x0000000000F3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2428-133-0x0000000000910000-0x00000000009C6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2840-167-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3160-181-0x0000000000790000-0x00000000007C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3160-186-0x0000000004D20000-0x0000000005338000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3160-187-0x0000000005340000-0x000000000544A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3160-188-0x0000000005480000-0x0000000005492000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3160-190-0x00000000054A0000-0x00000000054DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3160-189-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-191-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download