Overview

overview

10

Static

static

3

15710c203f...ad.exe

windows7-x64

10

15710c203f...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2023 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15710c203f130f4a93b60acb6f086cad.exe

  • Size

    919KB

  • MD5

    15710c203f130f4a93b60acb6f086cad

  • SHA1

    0f5b53544cbb5983dc7e6767d1c2685c88196983

  • SHA256

    c3b477707f7f72c4d00ae1a27a116b67737b686c7d3cdb5f853589e7deebf75c

  • SHA512

    65b0bd28f1f148eb4df1031336275ddcf77a80e2620304bf2e67152b36caec720eae074d33718c7b7b5768446f2e8986a54dd6b0f9e14afa7d6091126d1a164a

  • SSDEEP

    24576:nytJ32CAhkwuPIgEVUTsbhdfJzqOqai74Hb:yr32xexnAv1Ti

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15710c203f130f4a93b60acb6f086cad.exe
    "C:\Users\Admin\AppData\Local\Temp\15710c203f130f4a93b60acb6f086cad.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4492
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe
          4⤵
          • Executes dropped EXE
          PID:4224

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe
    Filesize

    764KB

    MD5

    31694c9957cb39c7bddf4e7061453171

    SHA1

    44ecaee95fc1db0c15b2a13506079456eabc6da2

    SHA256

    da490e125508e80c40818dae6ac540467eac6a42e3f1ac89ac0e822f049b2dcb

    SHA512

    b3e817e0aa0a15611184996d11ee178f74eaf7aeb6f0d3c84b6099f58d40456c6b99e39ff6d9f884a4d219fcb436c6ae1a834ce34b71d6ae20c45297facea818

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe
    Filesize

    764KB

    MD5

    31694c9957cb39c7bddf4e7061453171

    SHA1

    44ecaee95fc1db0c15b2a13506079456eabc6da2

    SHA256

    da490e125508e80c40818dae6ac540467eac6a42e3f1ac89ac0e822f049b2dcb

    SHA512

    b3e817e0aa0a15611184996d11ee178f74eaf7aeb6f0d3c84b6099f58d40456c6b99e39ff6d9f884a4d219fcb436c6ae1a834ce34b71d6ae20c45297facea818

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe
    Filesize

    580KB

    MD5

    a6efc9ddfe3fa7231aa75dde4b62235e

    SHA1

    f1bbff60f10a12890258a8282a0589289fdf8b0d

    SHA256

    89e1873906960a4d76729d7e6a90b36a5349fb7caad6cb7278023f4cd0e77dc2

    SHA512

    0ed350cedd3e10b8d5053cb21c6d6ade57e0090f1643fb65ab2f5c661506187587bcb7a4c6c472dad57625784e5487a94d7f77906905afdd28c11f5fcacc6764

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe
    Filesize

    580KB

    MD5

    a6efc9ddfe3fa7231aa75dde4b62235e

    SHA1

    f1bbff60f10a12890258a8282a0589289fdf8b0d

    SHA256

    89e1873906960a4d76729d7e6a90b36a5349fb7caad6cb7278023f4cd0e77dc2

    SHA512

    0ed350cedd3e10b8d5053cb21c6d6ade57e0090f1643fb65ab2f5c661506187587bcb7a4c6c472dad57625784e5487a94d7f77906905afdd28c11f5fcacc6764

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe
    Filesize

    295KB

    MD5

    b182bd82d257cbad31f3174b8d656606

    SHA1

    71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

    SHA256

    519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

    SHA512

    8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe
    Filesize

    295KB

    MD5

    b182bd82d257cbad31f3174b8d656606

    SHA1

    71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

    SHA256

    519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

    SHA512

    8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe
    Filesize

    491KB

    MD5

    2520b7b7693db3306433a9654b4723db

    SHA1

    37c3517f1de3fc28c1f81bf734397d72dee87901

    SHA256

    e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

    SHA512

    be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe
    Filesize

    491KB

    MD5

    2520b7b7693db3306433a9654b4723db

    SHA1

    37c3517f1de3fc28c1f81bf734397d72dee87901

    SHA256

    e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

    SHA512

    be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

    Download Submit

  • memory/4224-184-0x0000000005320000-0x0000000005332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4224-182-0x0000000004B40000-0x0000000005158000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4224-185-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-183-0x00000000051F0000-0x00000000052FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4224-186-0x0000000005340000-0x000000000537C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4224-187-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-172-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4224-171-0x0000000002020000-0x00000000020AC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4224-188-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-179-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-180-0x0000000002020000-0x00000000020AC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4492-154-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/4492-167-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4492-164-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4492-163-0x0000000002300000-0x0000000002301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4492-162-0x0000000000690000-0x00000000006CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4492-161-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4492-155-0x0000000000690000-0x00000000006CE000-memory.dmp

    Filesize

    248KB

    Download