Overview

overview

10

Static

static

3

JC_e3cc662...ea.exe

windows7-x64

10

JC_e3cc662...ea.exe

windows10-2004-x64

10

Resubmissions

12-02-2024 15:14

240212-smedwaae93 10

18-01-2024 16:04

240118-thz1fsdeh5 10

27-11-2023 17:24

231127-vyp1vsag72 10

27-11-2023 17:23

231127-vykfdaag68 3

07-09-2023 17:34

230907-v5f2jacd3x 10

07-09-2023 17:29

230907-v2xvwacd44 10

Analysis

  • max time kernel
    132s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2023 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe

  • Size

    473KB

  • MD5

    5ae1281ef3fd32f975133cd880be9ba8

  • SHA1

    11f3e8bfb5443fe516ff6922e72ae005e1431e13

  • SHA256

    e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea

  • SHA512

    c7a2df58fc7b97ed642b4671ea2af9573ea9f6e8806c3251703b4d594a24a0463380eafcb7757dc4d732655c5f08d28776cf6d0e5597ea2377463c106de4e587

  • SSDEEP

    12288:zMr0y904pAEvdXQzqmrQAQlMmHeNwwrGfI:XyxTNQzdZanQwwrGfI

Score
10/10
healerredlinemrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:2236
  • C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
    "C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3772
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4876
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
          4⤵
          • Executes dropped EXE
          PID:4048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
    Filesize

    371KB

    MD5

    77b13a3fd07083ce83966ad88c56783f

    SHA1

    f233315220091a448f740a6ad71cd7b45ecaae92

    SHA256

    5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

    SHA512

    e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
    Filesize

    371KB

    MD5

    77b13a3fd07083ce83966ad88c56783f

    SHA1

    f233315220091a448f740a6ad71cd7b45ecaae92

    SHA256

    5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

    SHA512

    e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    Filesize

    206KB

    MD5

    ef4b98983a112ab0cd247faf227bd5e1

    SHA1

    6e117ab856666570dd067008aabe5fcd9f0735ac

    SHA256

    6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

    SHA512

    adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    Filesize

    206KB

    MD5

    ef4b98983a112ab0cd247faf227bd5e1

    SHA1

    6e117ab856666570dd067008aabe5fcd9f0735ac

    SHA256

    6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

    SHA512

    adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
    Filesize

    12KB

    MD5

    9403417cabef4a164263a6d85bfddba5

    SHA1

    3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

    SHA256

    7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

    SHA512

    f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
    Filesize

    12KB

    MD5

    9403417cabef4a164263a6d85bfddba5

    SHA1

    3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

    SHA256

    7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

    SHA512

    f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
    Filesize

    176KB

    MD5

    486ce910a0924bb56ac5d8d7db61e7c0

    SHA1

    88139cdedbe75eb1441972b4bd5b498c1eb2e38c

    SHA256

    8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

    SHA512

    0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
    Filesize

    176KB

    MD5

    486ce910a0924bb56ac5d8d7db61e7c0

    SHA1

    88139cdedbe75eb1441972b4bd5b498c1eb2e38c

    SHA256

    8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

    SHA512

    0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

    Download Submit

  • memory/4048-35-0x0000000000A20000-0x0000000000A50000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4048-36-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4048-37-0x00000000059B0000-0x0000000005FC8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4048-38-0x00000000054A0000-0x00000000055AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4048-39-0x0000000005380000-0x0000000005390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4048-40-0x00000000053B0000-0x00000000053C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4048-41-0x0000000005410000-0x000000000544C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4048-42-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4048-43-0x0000000005380000-0x0000000005390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4876-31-0x00007FFA92DB0000-0x00007FFA93871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4876-29-0x00007FFA92DB0000-0x00007FFA93871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4876-28-0x00000000000A0000-0x00000000000AA000-memory.dmp

    Filesize

    40KB

    Download