Overview

overview

10

Static

static

1

dda01c237c...e1.exe

windows7-x64

10

dda01c237c...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2023, 18:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dda01c237c5a096170569ede1.exe

  • Size

    538KB

  • MD5

    dda01c237c5a096170569ede178fd7fa

  • SHA1

    763e08f979c863fcd77b327f216ad407555d78b7

  • SHA256

    edd2dc4b0833fb089b241f0a2493766d2c70efaf339162462672af68ea310e43

  • SHA512

    be51481d3573444d5107471e4716118d71a2bb44d9a231bb3efe6dfff3c806ac6d6c29c987429be59766d3b5c0db186ef56dd93f4889b0f9972fd469ac14d638

  • SSDEEP

    12288:a08ajz47lupda9C3Bw2UJ4M0BQEjM3En46MD2:xn47ApdaCxwDJPQME46Q

Score
10/10
healerredlinekiradropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dda01c237c5a096170569ede1.exe
    "C:\Users\Admin\AppData\Local\Temp\dda01c237c5a096170569ede1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe
        3⤵
        • Executes dropped EXE
        PID:2568

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
          Filesize

          226B

          MD5

          916851e072fbabc4796d8916c5131092

          SHA1

          d48a602229a690c512d5fdaf4c8d77547a88e7a2

          SHA256

          7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

          SHA512

          07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe
          Filesize

          261KB

          MD5

          5c337651e659f0fdf6b2985370c10296

          SHA1

          d1ed1e012b0bcb16ceceacac9b7f6f28f8db8ac9

          SHA256

          65dbaf45456a3d87e3ea00e8aaff49c25472b0bc27ff3b0b1db5d8c39147565b

          SHA512

          fe624bb86b61d39d460fcb97de6220907c938d468f7222e33b5ed9dac4d2243989c7c0592b37c64c1421096c322f34c8dc7106138bc195f8f23f1f3b50907bad

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe
          Filesize

          261KB

          MD5

          5c337651e659f0fdf6b2985370c10296

          SHA1

          d1ed1e012b0bcb16ceceacac9b7f6f28f8db8ac9

          SHA256

          65dbaf45456a3d87e3ea00e8aaff49c25472b0bc27ff3b0b1db5d8c39147565b

          SHA512

          fe624bb86b61d39d460fcb97de6220907c938d468f7222e33b5ed9dac4d2243989c7c0592b37c64c1421096c322f34c8dc7106138bc195f8f23f1f3b50907bad

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe
          Filesize

          104KB

          MD5

          9e04361d8c1b97863f881b44d21556e8

          SHA1

          964e3f32eb4b05b0440a494dd7bad40149e1803c

          SHA256

          53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

          SHA512

          6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe
          Filesize

          104KB

          MD5

          9e04361d8c1b97863f881b44d21556e8

          SHA1

          964e3f32eb4b05b0440a494dd7bad40149e1803c

          SHA256

          53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

          SHA512

          6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe
          Filesize

          266KB

          MD5

          1d04dcd5023a0641cdcc5d98523c59a8

          SHA1

          fa1050ab6a10ab231f07baae9e76a1372f8f6747

          SHA256

          c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

          SHA512

          536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe
          Filesize

          266KB

          MD5

          1d04dcd5023a0641cdcc5d98523c59a8

          SHA1

          fa1050ab6a10ab231f07baae9e76a1372f8f6747

          SHA256

          c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

          SHA512

          536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

          Download Submit

        • memory/2568-162-0x0000000000450000-0x0000000000480000-memory.dmp

          Filesize

          192KB

          Download

        • memory/2568-167-0x000000000A440000-0x000000000AA58000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2568-168-0x0000000009EB0000-0x0000000009FBA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2568-169-0x0000000009FF0000-0x000000000A002000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2568-170-0x000000000A010000-0x000000000A04C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2568-171-0x0000000004950000-0x0000000004960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2568-172-0x0000000004950000-0x0000000004960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3488-133-0x0000000000560000-0x00000000005D4000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4288-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

          Filesize

          40KB

          Download