Overview

overview

10

Static

static

3

cf6809e9e8...ae.exe

windows7-x64

10

cf6809e9e8...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2023, 07:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cf6809e9e8bb20cf3fac50872e8f28ae.exe

  • Size

    389KB

  • MD5

    cf6809e9e8bb20cf3fac50872e8f28ae

  • SHA1

    601dd183283b57368370eba9d3b5c20b9bf410e5

  • SHA256

    132b4ea4fb442c501afaecf9c88242e2d2bd3cfca6cceb2fb3b4f610dbd1eecd

  • SHA512

    6fcc1b9b2251bc56fb32e77b269056d086cbb0eb89211044380147f6bf1b2be2ea2913dcc13a598fe7da3de1cf73568649affdd4cf4a04575ecee5afbd9db843

  • SSDEEP

    6144:K8y+bnr+zp0yN90QE7LetLJSRHf6baT5E5CXF2l8Iue3XvC6JpEBUUyYweE/0X:gMrjy90A/05xXF4TuAxEqDYweP

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf6809e9e8bb20cf3fac50872e8f28ae.exe
    "C:\Users\Admin\AppData\Local\Temp\cf6809e9e8bb20cf3fac50872e8f28ae.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5645134.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5645134.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6678684.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6678684.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3658126.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3658126.exe
        3⤵
        • Executes dropped EXE
        PID:2200
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4952

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5645134.exe
          Filesize

          206KB

          MD5

          7dd916ad4ab4cae01954aa53d4ec9233

          SHA1

          1ba48ec474e1f117f4286274210f6e20eb7369fb

          SHA256

          0bf8d9a97ad152ffd2d7a55127ce421f8f24a802a890988abe678d18413bc320

          SHA512

          925e017e31db29c5f85e197affff40dc1d7590960f14c6996609fe56d1fbbbce4d9d088292c6ab5b24d303bccc31ba9ed291f035f331911f9f921387c1fc5090

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5645134.exe
          Filesize

          206KB

          MD5

          7dd916ad4ab4cae01954aa53d4ec9233

          SHA1

          1ba48ec474e1f117f4286274210f6e20eb7369fb

          SHA256

          0bf8d9a97ad152ffd2d7a55127ce421f8f24a802a890988abe678d18413bc320

          SHA512

          925e017e31db29c5f85e197affff40dc1d7590960f14c6996609fe56d1fbbbce4d9d088292c6ab5b24d303bccc31ba9ed291f035f331911f9f921387c1fc5090

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6678684.exe
          Filesize

          14KB

          MD5

          028e47da14603ca389815a46a9839026

          SHA1

          78061b0ea92b65af956577752ba0848a412259bd

          SHA256

          cc0f310f6643e7a292fd99a1b22c3c4dc7ecb6cc6dc900f6c16c14dc7775db7b

          SHA512

          89b62bd8646491a309ae97259aaeed9fb0827cf7872ef015da535ba76c355323ff2c6fda97ed9adea794c0a5bd6979cefda94a1139f8d45b5389931362238b8a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6678684.exe
          Filesize

          14KB

          MD5

          028e47da14603ca389815a46a9839026

          SHA1

          78061b0ea92b65af956577752ba0848a412259bd

          SHA256

          cc0f310f6643e7a292fd99a1b22c3c4dc7ecb6cc6dc900f6c16c14dc7775db7b

          SHA512

          89b62bd8646491a309ae97259aaeed9fb0827cf7872ef015da535ba76c355323ff2c6fda97ed9adea794c0a5bd6979cefda94a1139f8d45b5389931362238b8a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3658126.exe
          Filesize

          173KB

          MD5

          6585a9a3be7de6287d7ab54773681a2a

          SHA1

          b69031d640285e96aed455db8cb7153e893cefcf

          SHA256

          4ae5b586eb3adafe8474d1a45c92677a299edf4847d429f3479b65b73a0114f9

          SHA512

          680141bde3df9e994b2c21066ed205f8321a8605e9a2b3906605e8f5b85b28107577b17590ef914d70dc0b1c9df555b5174a90b8d3bf5a5ecc30c4c2b6cb5f33

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3658126.exe
          Filesize

          173KB

          MD5

          6585a9a3be7de6287d7ab54773681a2a

          SHA1

          b69031d640285e96aed455db8cb7153e893cefcf

          SHA256

          4ae5b586eb3adafe8474d1a45c92677a299edf4847d429f3479b65b73a0114f9

          SHA512

          680141bde3df9e994b2c21066ed205f8321a8605e9a2b3906605e8f5b85b28107577b17590ef914d70dc0b1c9df555b5174a90b8d3bf5a5ecc30c4c2b6cb5f33

          Download Submit

        • memory/2200-157-0x0000000005940000-0x0000000005A4A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2200-155-0x0000000074B00000-0x00000000752B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2200-154-0x0000000000F00000-0x0000000000F30000-memory.dmp

          Filesize

          192KB

          Download

        • memory/2200-156-0x0000000005E50000-0x0000000006468000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2200-158-0x00000000056E0000-0x00000000056F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2200-159-0x0000000005880000-0x0000000005892000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2200-160-0x00000000058E0000-0x000000000591C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2200-161-0x0000000074B00000-0x00000000752B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2200-162-0x00000000056E0000-0x00000000056F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3372-150-0x00007FF825000000-0x00007FF825AC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3372-148-0x00007FF825000000-0x00007FF825AC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3372-147-0x0000000000D70000-0x0000000000D7A000-memory.dmp

          Filesize

          40KB

          Download