Overview

overview

10

Static

static

3

7b76520e2f...d6.exe

windows7-x64

10

7b76520e2f...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2023 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b76520e2f364efdf2d3ee2d6.exe

  • Size

    528KB

  • MD5

    7b76520e2f364efdf2d3ee2d632ce92b

  • SHA1

    8eb41a2bf5318b77c68eb29573db33ce1697fd75

  • SHA256

    65c758ae3a7552d5e41a153fe2dc8af896269ede3fedb6e653d815505ff372ad

  • SHA512

    e29bbf0eaebe6c45f372e2fa6e5707153af0ea7680abfefebde197807b4d4b7e78e6f8b146a9d8dd79f0986f0081921f61517b2c54da3e5e6f4320c53cfe9be6

  • SSDEEP

    12288:ShQPfveaRdnQgouHfYvCM58KOf/65hXffqH/E6kk0:ShQ3ve82gPSg+PCshZ

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b76520e2f364efdf2d3ee2d6.exe
    "C:\Users\Admin\AppData\Local\Temp\7b76520e2f364efdf2d3ee2d6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7204929.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7204929.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3959801.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3959801.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0096440.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0096440.exe
        3⤵
        • Executes dropped EXE
        PID:2428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7204929.exe
    Filesize

    260KB

    MD5

    122e09911c41b12bc65b8a266824431d

    SHA1

    8968b2416993064235f5bde0ab12c7ba61d94f26

    SHA256

    df198973dc86bcb8e5da4512912808b78146ab1799cec9a64338fc8a7f245bad

    SHA512

    19f054e6b276987daac1ac43923d580d933e5c9b63d8d7419520a10384f52a73c50ef20bebd52ab67ff47113cfc9bc5126ee90e414eda2a923b0fd2a246de0cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7204929.exe
    Filesize

    260KB

    MD5

    122e09911c41b12bc65b8a266824431d

    SHA1

    8968b2416993064235f5bde0ab12c7ba61d94f26

    SHA256

    df198973dc86bcb8e5da4512912808b78146ab1799cec9a64338fc8a7f245bad

    SHA512

    19f054e6b276987daac1ac43923d580d933e5c9b63d8d7419520a10384f52a73c50ef20bebd52ab67ff47113cfc9bc5126ee90e414eda2a923b0fd2a246de0cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3959801.exe
    Filesize

    96KB

    MD5

    7ef7c67056ba9e2836fd6b621fa44184

    SHA1

    c7a4d2e2eb888709ac7c222d573c265ad6d37daa

    SHA256

    71bf5d3fcaf5563347fbfb9383e4bc71e9230859dd70a1a31e12ffa19b3bb841

    SHA512

    7b219c25ffeff09433481797c20a9e2ffde5cbf6690a6ce52998ad654db9d6c5da774f281dc2df7ad002bf416d10a165ceb97a5d19fbb110760b6d3bbc3be4b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3959801.exe
    Filesize

    96KB

    MD5

    7ef7c67056ba9e2836fd6b621fa44184

    SHA1

    c7a4d2e2eb888709ac7c222d573c265ad6d37daa

    SHA256

    71bf5d3fcaf5563347fbfb9383e4bc71e9230859dd70a1a31e12ffa19b3bb841

    SHA512

    7b219c25ffeff09433481797c20a9e2ffde5cbf6690a6ce52998ad654db9d6c5da774f281dc2df7ad002bf416d10a165ceb97a5d19fbb110760b6d3bbc3be4b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0096440.exe
    Filesize

    257KB

    MD5

    11876ec1eee54ebe35b4b2e67919b591

    SHA1

    6379414df009f6df98660a580becdfbb4c092cea

    SHA256

    8d19faa861a48ed9af5c5390f4943202c050fe82dfb26882a9342e9e187b9e9c

    SHA512

    113cb68aa0a9dd0e6ab363ac1915708a2ed840c21f3f43d2aa2cf88ffdc001815154331daa970596875b4f307eda5d1711d19bb796c419e499304c4782b2b2d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0096440.exe
    Filesize

    257KB

    MD5

    11876ec1eee54ebe35b4b2e67919b591

    SHA1

    6379414df009f6df98660a580becdfbb4c092cea

    SHA256

    8d19faa861a48ed9af5c5390f4943202c050fe82dfb26882a9342e9e187b9e9c

    SHA512

    113cb68aa0a9dd0e6ab363ac1915708a2ed840c21f3f43d2aa2cf88ffdc001815154331daa970596875b4f307eda5d1711d19bb796c419e499304c4782b2b2d1

    Download Submit

  • memory/1404-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2244-133-0x00000000007B0000-0x0000000000824000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2428-162-0x0000000000570000-0x00000000005A0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2428-167-0x000000000A710000-0x000000000AD28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2428-168-0x000000000A140000-0x000000000A24A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2428-169-0x000000000A280000-0x000000000A292000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2428-170-0x000000000A2A0000-0x000000000A2DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2428-171-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2428-172-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download