Overview

overview

10

Static

static

3

b88e69b980...49.exe

windows7-x64

10

b88e69b980...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2023 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b88e69b9804b98ce2f0a9645a00ebd69b99c0bf117b8979e9d1a32e104077b49.exe

  • Size

    388KB

  • MD5

    9aa7f97df38d59107c4d0de7a283f9bb

  • SHA1

    8a027943608aa2d758451da41e87a4d04c998710

  • SHA256

    b88e69b9804b98ce2f0a9645a00ebd69b99c0bf117b8979e9d1a32e104077b49

  • SHA512

    86f51b56f2bd9ff0ef0a65bd78a2ffaaca596095190295d94753dde21a6e4a978d60dea84023dd087803075be4df4fe960d3889fee39d0487927afe7b64302c2

  • SSDEEP

    6144:KFy+bnr+1p0yN90QEdbncoa2l3bcpXRrtR5HhJ1LabSBqZjiwdCMKU72N6qNJi:bMrVy90fnTa22pzhL2sQdXKr/N0

Score
10/10
healerredlinenewsdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b88e69b9804b98ce2f0a9645a00ebd69b99c0bf117b8979e9d1a32e104077b49.exe
    "C:\Users\Admin\AppData\Local\Temp\b88e69b9804b98ce2f0a9645a00ebd69b99c0bf117b8979e9d1a32e104077b49.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8046235.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8046235.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2530582.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2530582.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5627160.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5627160.exe
        3⤵
        • Executes dropped EXE
        PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8046235.exe
    Filesize

    206KB

    MD5

    048da8d068d86912c8462851a9b450f2

    SHA1

    23f6c8123726b592710c699c9470f276fdc304c9

    SHA256

    96368ea6944964e8b275f880bf22475bba86f8c93eda091adfd821a43622fd1e

    SHA512

    23378346580df81c8cf7eddfae6919c4ebf5e1001b95a4be2a1d8e09323a2e7444f1d1af7afad0b9e19a76b423191da77c33f2a4def349644b3ea350df5b5ae4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8046235.exe
    Filesize

    206KB

    MD5

    048da8d068d86912c8462851a9b450f2

    SHA1

    23f6c8123726b592710c699c9470f276fdc304c9

    SHA256

    96368ea6944964e8b275f880bf22475bba86f8c93eda091adfd821a43622fd1e

    SHA512

    23378346580df81c8cf7eddfae6919c4ebf5e1001b95a4be2a1d8e09323a2e7444f1d1af7afad0b9e19a76b423191da77c33f2a4def349644b3ea350df5b5ae4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2530582.exe
    Filesize

    11KB

    MD5

    17b3fb04536090610b736482c8c32ea4

    SHA1

    73017a5f9c35bbcfa96abb5c2f558c2d64dcb7f2

    SHA256

    7a929bc9b394d96a7960ce3eaa907b619f9b903c473bf6433d4dd6d92681db75

    SHA512

    c17c285595cfb99ae5de9f531f8c4df95aadd66657cc3e6876d1edbf601d99183aeef72821ceba1516b3e1cf6952561c7bd86b2bc05b013415c281fdbf1ae578

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2530582.exe
    Filesize

    11KB

    MD5

    17b3fb04536090610b736482c8c32ea4

    SHA1

    73017a5f9c35bbcfa96abb5c2f558c2d64dcb7f2

    SHA256

    7a929bc9b394d96a7960ce3eaa907b619f9b903c473bf6433d4dd6d92681db75

    SHA512

    c17c285595cfb99ae5de9f531f8c4df95aadd66657cc3e6876d1edbf601d99183aeef72821ceba1516b3e1cf6952561c7bd86b2bc05b013415c281fdbf1ae578

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5627160.exe
    Filesize

    172KB

    MD5

    5a48eca114512ef71ef758cf2865bcde

    SHA1

    ac0ce137739b85bb0e8228f715b15a93df306104

    SHA256

    759a4de8dfd050ed138a796f03b37ffd893b85fefe652a6487bd086d943f3526

    SHA512

    40beb76ef4497cff9e1836fbd17ed6e8dee709ff51b96ed9ec46d6ff225f3c66201b60d8ebe72668d85598c002a7e68680d9d22ec32e801c4eb92643f1cf62a8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5627160.exe
    Filesize

    172KB

    MD5

    5a48eca114512ef71ef758cf2865bcde

    SHA1

    ac0ce137739b85bb0e8228f715b15a93df306104

    SHA256

    759a4de8dfd050ed138a796f03b37ffd893b85fefe652a6487bd086d943f3526

    SHA512

    40beb76ef4497cff9e1836fbd17ed6e8dee709ff51b96ed9ec46d6ff225f3c66201b60d8ebe72668d85598c002a7e68680d9d22ec32e801c4eb92643f1cf62a8

    Download Submit
  • memory/680-147-0x0000000000B40000-0x0000000000B4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/680-150-0x00007FF97BA40000-0x00007FF97C501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/680-148-0x00007FF97BA40000-0x00007FF97C501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1668-154-0x00000000001B0000-0x00000000001E0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1668-155-0x00000000742E0000-0x0000000074A90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1668-156-0x0000000005280000-0x0000000005898000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1668-157-0x0000000004D70000-0x0000000004E7A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1668-159-0x0000000004A50000-0x0000000004A60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1668-158-0x0000000004C80000-0x0000000004C92000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1668-160-0x0000000004CE0000-0x0000000004D1C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1668-161-0x00000000742E0000-0x0000000074A90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1668-162-0x0000000004A50000-0x0000000004A60000-memory.dmp
    Filesize

    64KB

    Download