Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    282s
  • max time network
    296s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    18/09/2023, 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x8777818.exe

  • Size

    314KB

  • MD5

    d94172ba977fc4e1724b8e58192f1b63

  • SHA1

    e3bf21047ab496dfcc96f6ab2160f1efa59c8971

  • SHA256

    ace5cc362b830af83f07f51c8ddaed617c22982d503e0bf9bc4d844f8f5bb2a7

  • SHA512

    7fc2958ee995c9ff3dc14b6fd48b7afd3225c37a6193621ad69c689e3bf5657ae88803d295ff9cf42a1aff9e0d46c0ed43e4750bbffbd09c114e3f5fa2442851

  • SSDEEP

    6144:KUy+bnr+cp0yN90QEYD2c3onfawpuF3CP1Hl27+/kLH1gTOj1j4:8Mroy90KWfB4FS5lm+/8H111c

Score
10/10
healerredlinepetindropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

petin

C2

77.91.124.82:19071

Attributes
  • auth_value

    f6cf7a48c0291d1ef5a3440429827d6d

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x8777818.exe
    "C:\Users\Admin\AppData\Local\Temp\x8777818.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
    Filesize

    229KB

    MD5

    bd3ad5a5f3bdbbcc666960e355ea0ab4

    SHA1

    00319db9ddecfbca5c26206e742b89305c4eb5f7

    SHA256

    28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

    SHA512

    e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
    Filesize

    229KB

    MD5

    bd3ad5a5f3bdbbcc666960e355ea0ab4

    SHA1

    00319db9ddecfbca5c26206e742b89305c4eb5f7

    SHA256

    28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

    SHA512

    e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
    Filesize

    229KB

    MD5

    bd3ad5a5f3bdbbcc666960e355ea0ab4

    SHA1

    00319db9ddecfbca5c26206e742b89305c4eb5f7

    SHA256

    28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

    SHA512

    e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
    Filesize

    174KB

    MD5

    92fafc33e658b62f46008d2d547650de

    SHA1

    4d2a3b7b5ce7ae24131e58d9c37661c0fdf16bef

    SHA256

    ce176f99a1d99eded9b6b2a0efe79a9b23ad0d83c0731041a3ab44f8105e867e

    SHA512

    90b6c3abc327425d3c80c4b29ad0bf2d9f7abb3da898e2988bcdef26e4177b2087ed0b8a290d8833d2bd15ca943fc8a42d92ef71c387a29f3882359bf38ae10a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
    Filesize

    174KB

    MD5

    92fafc33e658b62f46008d2d547650de

    SHA1

    4d2a3b7b5ce7ae24131e58d9c37661c0fdf16bef

    SHA256

    ce176f99a1d99eded9b6b2a0efe79a9b23ad0d83c0731041a3ab44f8105e867e

    SHA512

    90b6c3abc327425d3c80c4b29ad0bf2d9f7abb3da898e2988bcdef26e4177b2087ed0b8a290d8833d2bd15ca943fc8a42d92ef71c387a29f3882359bf38ae10a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
    Filesize

    229KB

    MD5

    bd3ad5a5f3bdbbcc666960e355ea0ab4

    SHA1

    00319db9ddecfbca5c26206e742b89305c4eb5f7

    SHA256

    28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

    SHA512

    e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
    Filesize

    229KB

    MD5

    bd3ad5a5f3bdbbcc666960e355ea0ab4

    SHA1

    00319db9ddecfbca5c26206e742b89305c4eb5f7

    SHA256

    28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

    SHA512

    e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
    Filesize

    229KB

    MD5

    bd3ad5a5f3bdbbcc666960e355ea0ab4

    SHA1

    00319db9ddecfbca5c26206e742b89305c4eb5f7

    SHA256

    28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

    SHA512

    e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
    Filesize

    174KB

    MD5

    92fafc33e658b62f46008d2d547650de

    SHA1

    4d2a3b7b5ce7ae24131e58d9c37661c0fdf16bef

    SHA256

    ce176f99a1d99eded9b6b2a0efe79a9b23ad0d83c0731041a3ab44f8105e867e

    SHA512

    90b6c3abc327425d3c80c4b29ad0bf2d9f7abb3da898e2988bcdef26e4177b2087ed0b8a290d8833d2bd15ca943fc8a42d92ef71c387a29f3882359bf38ae10a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
    Filesize

    174KB

    MD5

    92fafc33e658b62f46008d2d547650de

    SHA1

    4d2a3b7b5ce7ae24131e58d9c37661c0fdf16bef

    SHA256

    ce176f99a1d99eded9b6b2a0efe79a9b23ad0d83c0731041a3ab44f8105e867e

    SHA512

    90b6c3abc327425d3c80c4b29ad0bf2d9f7abb3da898e2988bcdef26e4177b2087ed0b8a290d8833d2bd15ca943fc8a42d92ef71c387a29f3882359bf38ae10a

    Download Submit

  • memory/2708-13-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-18-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-20-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-22-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-17-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-15-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-14-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-16-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2760-29-0x0000000001000000-0x0000000001030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2760-30-0x0000000000490000-0x0000000000496000-memory.dmp

    Filesize

    24KB

    Download