Overview

overview

10

Static

static

3

edcd11e45e...06.exe

windows7-x64

10

edcd11e45e...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2023, 01:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706.exe

  • Size

    1.5MB

  • MD5

    606fbe646ebb4df5c3f5b54e46c0fdf1

  • SHA1

    8ff94dd2d2164452af6a4b3dcc070b3d83df1a08

  • SHA256

    edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706

  • SHA512

    a3d7c5481f3f5cf1a239b6c448a608868faec6801b098f4d5c922cbbd544b7b7e1751922f9ed2b395d33983886a60e4793cd1a0db507664fa00ec99182153379

  • SSDEEP

    49152:7ir0XAypplkMlIMLZ3RqJfPoH3SRm0QIrbQX:G0XAyJEMLZI4H3ADf

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706.exe
    "C:\Users\Admin\AppData\Local\Temp\edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3665369.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3665369.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9691337.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9691337.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4825974.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4825974.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5934250.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5934250.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1804

Network

    No results found
  • 77.91.68.48:19071
    c8416204.exe
    152 B
     3
  • 77.91.68.48:19071
    c8416204.exe
    152 B
     3
  • 192.229.221.95:80
    46 B
     1
  • 77.91.68.48:19071
    c8416204.exe
    152 B
     3
  • 77.91.68.48:19071
    c8416204.exe
    152 B
     3
  • 77.91.68.48:19071
    c8416204.exe
    104 B
     2
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3665369.exe
    Filesize

    1.3MB

    MD5

    88773599612927c81ecef94a2c1cb259

    SHA1

    736875eb05d6591ff1a9685404958daa9ac738df

    SHA256

    3ae06bd179618c3c48444faded7da364e22e85b4131f0c400971d677460e5800

    SHA512

    3750866571c7a21ea0eed8697c1bfafefba56bc1bf38b74dbb262eed43a71da9f61a477544b19acc70bb3a73c26b3e386ffffb5aadef14908c9a5aec487a14f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3665369.exe
    Filesize

    1.3MB

    MD5

    88773599612927c81ecef94a2c1cb259

    SHA1

    736875eb05d6591ff1a9685404958daa9ac738df

    SHA256

    3ae06bd179618c3c48444faded7da364e22e85b4131f0c400971d677460e5800

    SHA512

    3750866571c7a21ea0eed8697c1bfafefba56bc1bf38b74dbb262eed43a71da9f61a477544b19acc70bb3a73c26b3e386ffffb5aadef14908c9a5aec487a14f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9691337.exe
    Filesize

    1.2MB

    MD5

    d04de7179f8c93e437ace78dd63a696f

    SHA1

    c95ef97c25606182390722946446f2f02d833923

    SHA256

    c851a481fffee75f3f360ae3f0827f8df9756435fd08ae4e60854573db317067

    SHA512

    02250e2205231677194bc37459dc21fea827ea89e2acbae2231e0031a0c535ae434d5773762886b70547e466d3af71c2d4368c3df4e34e9ca7c616a7ddc61197

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9691337.exe
    Filesize

    1.2MB

    MD5

    d04de7179f8c93e437ace78dd63a696f

    SHA1

    c95ef97c25606182390722946446f2f02d833923

    SHA256

    c851a481fffee75f3f360ae3f0827f8df9756435fd08ae4e60854573db317067

    SHA512

    02250e2205231677194bc37459dc21fea827ea89e2acbae2231e0031a0c535ae434d5773762886b70547e466d3af71c2d4368c3df4e34e9ca7c616a7ddc61197

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
    Filesize

    691KB

    MD5

    8538b3c88d840e9739967c70ffd433a3

    SHA1

    e072f6bffa09ebb88d2db47b23d98c5d85332926

    SHA256

    8fdd24124ab1156cf0f5b475254cb1405acb713249ba8b770e3e218c515db5b6

    SHA512

    efcc66e144067f4a54e92b6fe1d050ee8de4101d984d94e92c562f525d39850042e78d054b80fdf8299eb342bf4a5863b1cd9efc460aeea870845597692972e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
    Filesize

    691KB

    MD5

    8538b3c88d840e9739967c70ffd433a3

    SHA1

    e072f6bffa09ebb88d2db47b23d98c5d85332926

    SHA256

    8fdd24124ab1156cf0f5b475254cb1405acb713249ba8b770e3e218c515db5b6

    SHA512

    efcc66e144067f4a54e92b6fe1d050ee8de4101d984d94e92c562f525d39850042e78d054b80fdf8299eb342bf4a5863b1cd9efc460aeea870845597692972e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
    Filesize

    691KB

    MD5

    8538b3c88d840e9739967c70ffd433a3

    SHA1

    e072f6bffa09ebb88d2db47b23d98c5d85332926

    SHA256

    8fdd24124ab1156cf0f5b475254cb1405acb713249ba8b770e3e218c515db5b6

    SHA512

    efcc66e144067f4a54e92b6fe1d050ee8de4101d984d94e92c562f525d39850042e78d054b80fdf8299eb342bf4a5863b1cd9efc460aeea870845597692972e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4825974.exe
    Filesize

    619KB

    MD5

    e13583e7ee42802adbeec105f49fce0c

    SHA1

    c4c756c6d8f337db93bf24230dc40e443155ba29

    SHA256

    6d2beed5cea3792f6114184da5355d0d9f4e8ae72a1eebb169d57e2f3ee10fec

    SHA512

    ad5d7df026cc83e4c7cd31783a8a32612ff7e2f6330f5184aba6576b5f1d8b13ca1a955483e40aee3fb04d41d78b0e57a408f17e8eb7bb3e0ed150136c23f76e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4825974.exe
    Filesize

    619KB

    MD5

    e13583e7ee42802adbeec105f49fce0c

    SHA1

    c4c756c6d8f337db93bf24230dc40e443155ba29

    SHA256

    6d2beed5cea3792f6114184da5355d0d9f4e8ae72a1eebb169d57e2f3ee10fec

    SHA512

    ad5d7df026cc83e4c7cd31783a8a32612ff7e2f6330f5184aba6576b5f1d8b13ca1a955483e40aee3fb04d41d78b0e57a408f17e8eb7bb3e0ed150136c23f76e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
    Filesize

    530KB

    MD5

    f7fd74cf9422244d88d0f989eab1bd5a

    SHA1

    3dea8ab8e08324c952a30dc0973e07556c73bcdd

    SHA256

    5e9c2e2a27311859ff0200fb786743589b04c5db27ce9696c32f01091f94deee

    SHA512

    0ff7e267e2e7940fb92d6f20f6aa1a05ccf33ecb2b975ab52db0c96ea0e1a4c3eab67562da3a70107ee3ed390559fd1a274f3c2db7531ed92be2934b1041dcc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
    Filesize

    530KB

    MD5

    f7fd74cf9422244d88d0f989eab1bd5a

    SHA1

    3dea8ab8e08324c952a30dc0973e07556c73bcdd

    SHA256

    5e9c2e2a27311859ff0200fb786743589b04c5db27ce9696c32f01091f94deee

    SHA512

    0ff7e267e2e7940fb92d6f20f6aa1a05ccf33ecb2b975ab52db0c96ea0e1a4c3eab67562da3a70107ee3ed390559fd1a274f3c2db7531ed92be2934b1041dcc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
    Filesize

    530KB

    MD5

    f7fd74cf9422244d88d0f989eab1bd5a

    SHA1

    3dea8ab8e08324c952a30dc0973e07556c73bcdd

    SHA256

    5e9c2e2a27311859ff0200fb786743589b04c5db27ce9696c32f01091f94deee

    SHA512

    0ff7e267e2e7940fb92d6f20f6aa1a05ccf33ecb2b975ab52db0c96ea0e1a4c3eab67562da3a70107ee3ed390559fd1a274f3c2db7531ed92be2934b1041dcc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5934250.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5934250.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v3665369.exe
    Filesize

    1.3MB

    MD5

    88773599612927c81ecef94a2c1cb259

    SHA1

    736875eb05d6591ff1a9685404958daa9ac738df

    SHA256

    3ae06bd179618c3c48444faded7da364e22e85b4131f0c400971d677460e5800

    SHA512

    3750866571c7a21ea0eed8697c1bfafefba56bc1bf38b74dbb262eed43a71da9f61a477544b19acc70bb3a73c26b3e386ffffb5aadef14908c9a5aec487a14f9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v3665369.exe
    Filesize

    1.3MB

    MD5

    88773599612927c81ecef94a2c1cb259

    SHA1

    736875eb05d6591ff1a9685404958daa9ac738df

    SHA256

    3ae06bd179618c3c48444faded7da364e22e85b4131f0c400971d677460e5800

    SHA512

    3750866571c7a21ea0eed8697c1bfafefba56bc1bf38b74dbb262eed43a71da9f61a477544b19acc70bb3a73c26b3e386ffffb5aadef14908c9a5aec487a14f9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\v9691337.exe
    Filesize

    1.2MB

    MD5

    d04de7179f8c93e437ace78dd63a696f

    SHA1

    c95ef97c25606182390722946446f2f02d833923

    SHA256

    c851a481fffee75f3f360ae3f0827f8df9756435fd08ae4e60854573db317067

    SHA512

    02250e2205231677194bc37459dc21fea827ea89e2acbae2231e0031a0c535ae434d5773762886b70547e466d3af71c2d4368c3df4e34e9ca7c616a7ddc61197

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\v9691337.exe
    Filesize

    1.2MB

    MD5

    d04de7179f8c93e437ace78dd63a696f

    SHA1

    c95ef97c25606182390722946446f2f02d833923

    SHA256

    c851a481fffee75f3f360ae3f0827f8df9756435fd08ae4e60854573db317067

    SHA512

    02250e2205231677194bc37459dc21fea827ea89e2acbae2231e0031a0c535ae434d5773762886b70547e466d3af71c2d4368c3df4e34e9ca7c616a7ddc61197

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
    Filesize

    691KB

    MD5

    8538b3c88d840e9739967c70ffd433a3

    SHA1

    e072f6bffa09ebb88d2db47b23d98c5d85332926

    SHA256

    8fdd24124ab1156cf0f5b475254cb1405acb713249ba8b770e3e218c515db5b6

    SHA512

    efcc66e144067f4a54e92b6fe1d050ee8de4101d984d94e92c562f525d39850042e78d054b80fdf8299eb342bf4a5863b1cd9efc460aeea870845597692972e9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
    Filesize

    691KB

    MD5

    8538b3c88d840e9739967c70ffd433a3

    SHA1

    e072f6bffa09ebb88d2db47b23d98c5d85332926

    SHA256

    8fdd24124ab1156cf0f5b475254cb1405acb713249ba8b770e3e218c515db5b6

    SHA512

    efcc66e144067f4a54e92b6fe1d050ee8de4101d984d94e92c562f525d39850042e78d054b80fdf8299eb342bf4a5863b1cd9efc460aeea870845597692972e9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\c8416204.exe
    Filesize

    691KB

    MD5

    8538b3c88d840e9739967c70ffd433a3

    SHA1

    e072f6bffa09ebb88d2db47b23d98c5d85332926

    SHA256

    8fdd24124ab1156cf0f5b475254cb1405acb713249ba8b770e3e218c515db5b6

    SHA512

    efcc66e144067f4a54e92b6fe1d050ee8de4101d984d94e92c562f525d39850042e78d054b80fdf8299eb342bf4a5863b1cd9efc460aeea870845597692972e9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\v4825974.exe
    Filesize

    619KB

    MD5

    e13583e7ee42802adbeec105f49fce0c

    SHA1

    c4c756c6d8f337db93bf24230dc40e443155ba29

    SHA256

    6d2beed5cea3792f6114184da5355d0d9f4e8ae72a1eebb169d57e2f3ee10fec

    SHA512

    ad5d7df026cc83e4c7cd31783a8a32612ff7e2f6330f5184aba6576b5f1d8b13ca1a955483e40aee3fb04d41d78b0e57a408f17e8eb7bb3e0ed150136c23f76e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\v4825974.exe
    Filesize

    619KB

    MD5

    e13583e7ee42802adbeec105f49fce0c

    SHA1

    c4c756c6d8f337db93bf24230dc40e443155ba29

    SHA256

    6d2beed5cea3792f6114184da5355d0d9f4e8ae72a1eebb169d57e2f3ee10fec

    SHA512

    ad5d7df026cc83e4c7cd31783a8a32612ff7e2f6330f5184aba6576b5f1d8b13ca1a955483e40aee3fb04d41d78b0e57a408f17e8eb7bb3e0ed150136c23f76e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
    Filesize

    530KB

    MD5

    f7fd74cf9422244d88d0f989eab1bd5a

    SHA1

    3dea8ab8e08324c952a30dc0973e07556c73bcdd

    SHA256

    5e9c2e2a27311859ff0200fb786743589b04c5db27ce9696c32f01091f94deee

    SHA512

    0ff7e267e2e7940fb92d6f20f6aa1a05ccf33ecb2b975ab52db0c96ea0e1a4c3eab67562da3a70107ee3ed390559fd1a274f3c2db7531ed92be2934b1041dcc8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
    Filesize

    530KB

    MD5

    f7fd74cf9422244d88d0f989eab1bd5a

    SHA1

    3dea8ab8e08324c952a30dc0973e07556c73bcdd

    SHA256

    5e9c2e2a27311859ff0200fb786743589b04c5db27ce9696c32f01091f94deee

    SHA512

    0ff7e267e2e7940fb92d6f20f6aa1a05ccf33ecb2b975ab52db0c96ea0e1a4c3eab67562da3a70107ee3ed390559fd1a274f3c2db7531ed92be2934b1041dcc8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\a4278579.exe
    Filesize

    530KB

    MD5

    f7fd74cf9422244d88d0f989eab1bd5a

    SHA1

    3dea8ab8e08324c952a30dc0973e07556c73bcdd

    SHA256

    5e9c2e2a27311859ff0200fb786743589b04c5db27ce9696c32f01091f94deee

    SHA512

    0ff7e267e2e7940fb92d6f20f6aa1a05ccf33ecb2b975ab52db0c96ea0e1a4c3eab67562da3a70107ee3ed390559fd1a274f3c2db7531ed92be2934b1041dcc8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\b5934250.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/1348-106-0x0000000001050000-0x000000000105A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1804-116-0x0000000000270000-0x00000000002A0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1804-120-0x0000000001E40000-0x0000000001E46000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1804-121-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1804-122-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2928-97-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.