Overview

overview

10

Static

static

3

JC_0124537...a9.exe

windows7-x64

10

JC_0124537...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2023, 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JC_01245370325c4145cd762616c947c24f361ebfe1bab5e0ab453200cfdbdb7ea9.exe

  • Size

    930KB

  • MD5

    ec91000d1fda6ed794def7eb56edac15

  • SHA1

    61571ebee201e9a2941d08ea42b425f0166db4bf

  • SHA256

    01245370325c4145cd762616c947c24f361ebfe1bab5e0ab453200cfdbdb7ea9

  • SHA512

    38718af9b9bbe1df6dd0430bca6a5d4e2060b0ea69d0d8e99ab94bac93df7ed33f1d7851b93774602bf6b6ccf812dd2618a6e21e7c30cf6c803d6860ed26a20f

  • SSDEEP

    24576:iypBFyq17MiYyIBjrII9lCfN3RoWe4/woVvGIgVA:JpBFyq17xYltrIIzEBoK+

Score
10/10
healerredlinedomkadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

domka

C2

77.91.124.82:19071

Attributes
  • auth_value

    74e19436acac85e44d691aebcc617529

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:2236
  • C:\Users\Admin\AppData\Local\Temp\JC_01245370325c4145cd762616c947c24f361ebfe1bab5e0ab453200cfdbdb7ea9.exe
    "C:\Users\Admin\AppData\Local\Temp\JC_01245370325c4145cd762616c947c24f361ebfe1bab5e0ab453200cfdbdb7ea9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8118158.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8118158.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5422670.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5422670.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8707324.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8707324.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8632476.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8632476.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4884
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3441478.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3441478.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4536
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6005605.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6005605.exe
              6⤵
              • Executes dropped EXE
              PID:4796
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5408526.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5408526.exe
            5⤵
            • Executes dropped EXE
            PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8118158.exe
    Filesize

    825KB

    MD5

    bb3cc3c2a9df7366d52d5f0dbd1ea367

    SHA1

    c14780d11332767ceb3738c1aebc73be41e20b24

    SHA256

    945f90b402af71a65fd502a61413fa63a99b6af4f2375b87b9d5c6ad7016c263

    SHA512

    3c8a77652b5193ae7705cf9a720f5a4aed65fb45f49ed8d2f0cbecde8b71352003279c79d5430dcbeefe7977d9c8468f94180fff04769a519dbba7de410655a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8118158.exe
    Filesize

    825KB

    MD5

    bb3cc3c2a9df7366d52d5f0dbd1ea367

    SHA1

    c14780d11332767ceb3738c1aebc73be41e20b24

    SHA256

    945f90b402af71a65fd502a61413fa63a99b6af4f2375b87b9d5c6ad7016c263

    SHA512

    3c8a77652b5193ae7705cf9a720f5a4aed65fb45f49ed8d2f0cbecde8b71352003279c79d5430dcbeefe7977d9c8468f94180fff04769a519dbba7de410655a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5422670.exe
    Filesize

    599KB

    MD5

    d003d82e7ba641747345a107047aebb2

    SHA1

    14280ce520610ad5042600f4bd5c10be783f5c8a

    SHA256

    68b9e533e583bca0a307e93c35d51d72fe2b9a75ec34cf68f481d828bd579e16

    SHA512

    9341fe1f2d4a5b059fdcbb75859eaa56b9be88dc08117b53dbf9c91892db68e7f7717f0728965bc2cce90229622541927283d241bcd8e6ccce4671f11f90fa8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5422670.exe
    Filesize

    599KB

    MD5

    d003d82e7ba641747345a107047aebb2

    SHA1

    14280ce520610ad5042600f4bd5c10be783f5c8a

    SHA256

    68b9e533e583bca0a307e93c35d51d72fe2b9a75ec34cf68f481d828bd579e16

    SHA512

    9341fe1f2d4a5b059fdcbb75859eaa56b9be88dc08117b53dbf9c91892db68e7f7717f0728965bc2cce90229622541927283d241bcd8e6ccce4671f11f90fa8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8707324.exe
    Filesize

    373KB

    MD5

    943d6fe5b66eab16ff1f8992aa45bcce

    SHA1

    70c78c814452f740bae77f73ac00b7c26e67810d

    SHA256

    7c37db28c0d9f666d261c105638ca106494daee85ae1194f6ab516b60c5a6c94

    SHA512

    c399603badbe5c80c1dab7e3201d1386e5bd08390e8d466ddb527a8a6793b4a1c9c81d2b1bda1c580839d1e11ff869ead0fe5adc4f1c7e582dfa56d87d2d5590

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8707324.exe
    Filesize

    373KB

    MD5

    943d6fe5b66eab16ff1f8992aa45bcce

    SHA1

    70c78c814452f740bae77f73ac00b7c26e67810d

    SHA256

    7c37db28c0d9f666d261c105638ca106494daee85ae1194f6ab516b60c5a6c94

    SHA512

    c399603badbe5c80c1dab7e3201d1386e5bd08390e8d466ddb527a8a6793b4a1c9c81d2b1bda1c580839d1e11ff869ead0fe5adc4f1c7e582dfa56d87d2d5590

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5408526.exe
    Filesize

    174KB

    MD5

    99824cf19d8846e62e72abc86c467e3b

    SHA1

    4d3d312a9d90188653b4c044e508b494a24dc0d8

    SHA256

    be1013d6a5de3dfb145d877d5e470cbe15fff2e49f1f49fcdcde8cca44e935dd

    SHA512

    7ce284283e2c4ede7c984cd5e6201068e5c8ceb5548eb949aa85f3bb9fb1555189e3a6ad5a4af60b4efc5a6c0a2bcd979e791b933ecac8bea8607d987af08f13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5408526.exe
    Filesize

    174KB

    MD5

    99824cf19d8846e62e72abc86c467e3b

    SHA1

    4d3d312a9d90188653b4c044e508b494a24dc0d8

    SHA256

    be1013d6a5de3dfb145d877d5e470cbe15fff2e49f1f49fcdcde8cca44e935dd

    SHA512

    7ce284283e2c4ede7c984cd5e6201068e5c8ceb5548eb949aa85f3bb9fb1555189e3a6ad5a4af60b4efc5a6c0a2bcd979e791b933ecac8bea8607d987af08f13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8632476.exe
    Filesize

    217KB

    MD5

    153fbb3f225c7bc7b49dad57aab8b8cd

    SHA1

    ea9bdf0b74644b3877d0553fec9fcc01cd1c7f53

    SHA256

    f0a21abf4d3bd4e4a5075f02f70fe527c835ded8bbd755fda59225e1c157c462

    SHA512

    c581f35c23dcc733df522359f46daea2a7d0caedcd7f2e968b713d817b5066dfcaf79e23bd017aaba81884f9ae1395d5d56a1140de894e864e73e12e56a86b05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8632476.exe
    Filesize

    217KB

    MD5

    153fbb3f225c7bc7b49dad57aab8b8cd

    SHA1

    ea9bdf0b74644b3877d0553fec9fcc01cd1c7f53

    SHA256

    f0a21abf4d3bd4e4a5075f02f70fe527c835ded8bbd755fda59225e1c157c462

    SHA512

    c581f35c23dcc733df522359f46daea2a7d0caedcd7f2e968b713d817b5066dfcaf79e23bd017aaba81884f9ae1395d5d56a1140de894e864e73e12e56a86b05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3441478.exe
    Filesize

    19KB

    MD5

    6f683ae7d9c7ea8e725ab9dfc1a9102b

    SHA1

    6be785c1cb926a3edd55dbee4b2b2512c1472763

    SHA256

    57d277d14b30679bbdf200a24f00a0509d79ffb243d76958457a8c434fb23b44

    SHA512

    1fa350c28d4e5ed0c0dd3c6b7a039fc7880056bf4a41bfade28f0b1b28c014ae567d903309d060588719d70f771071a3cee65851e56e5ada4ac150ba6f0fd3e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3441478.exe
    Filesize

    19KB

    MD5

    6f683ae7d9c7ea8e725ab9dfc1a9102b

    SHA1

    6be785c1cb926a3edd55dbee4b2b2512c1472763

    SHA256

    57d277d14b30679bbdf200a24f00a0509d79ffb243d76958457a8c434fb23b44

    SHA512

    1fa350c28d4e5ed0c0dd3c6b7a039fc7880056bf4a41bfade28f0b1b28c014ae567d903309d060588719d70f771071a3cee65851e56e5ada4ac150ba6f0fd3e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6005605.exe
    Filesize

    140KB

    MD5

    a6e2db438d25da1b30ed521f6afd9006

    SHA1

    5003d030b33743a7879bbd25628c7b54e349b230

    SHA256

    638bbb6dc6b9abdc798cd185e84caedb20efca78b4a59af6dab86effefe38804

    SHA512

    8684e6fb448fd8cf9f303ee2a8f2ac24f2e17a58f97feef47ab67cfd045002cb121814f0fc53c0280ea45933c89ce6ef6cc56efd34c410e0b16326806da5a07e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6005605.exe
    Filesize

    140KB

    MD5

    a6e2db438d25da1b30ed521f6afd9006

    SHA1

    5003d030b33743a7879bbd25628c7b54e349b230

    SHA256

    638bbb6dc6b9abdc798cd185e84caedb20efca78b4a59af6dab86effefe38804

    SHA512

    8684e6fb448fd8cf9f303ee2a8f2ac24f2e17a58f97feef47ab67cfd045002cb121814f0fc53c0280ea45933c89ce6ef6cc56efd34c410e0b16326806da5a07e

    Download Submit

  • memory/2836-52-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2836-51-0x0000000000500000-0x0000000000530000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2836-53-0x000000000A940000-0x000000000AF58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2836-54-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2836-56-0x000000000A3F0000-0x000000000A402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2836-55-0x0000000004F90000-0x0000000004FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2836-57-0x000000000A450000-0x000000000A48C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2836-58-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2836-59-0x0000000004F90000-0x0000000004FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-44-0x00007FFBEF090000-0x00007FFBEFB51000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4536-36-0x00007FFBEF090000-0x00007FFBEFB51000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4536-35-0x0000000000430000-0x000000000043A000-memory.dmp

    Filesize

    40KB

    Download