Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    290s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2023 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x5182030.exe

  • Size

    326KB

  • MD5

    11924a7c6b34d401fce9a0289a495d90

  • SHA1

    7e07aa42127ad4e83b4db9988d42f36229275c72

  • SHA256

    b610208386aff19bb310792255e5022f47fc360015fde0da73df201153ae013d

  • SHA512

    1d1501b04e60ac2e2ebd31a9ec8d62690f556ad4f7b1e3aa7ca822ac8137dc7ae04f8c06e404798973e487f17930fac08237e6329ae0d860a6d3d27218931fb1

  • SSDEEP

    6144:K7y+bnr+4p0yN90QErBzQZI0aFkyxWAQh17NpZKE+ShX8yd27JALErj7:pMrYy908xahxWTTxq2X8yUJALEL

Score
10/10
healerredlineblackdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes
  • auth_value

    c5887216cebc5a219113738140bc3047

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x5182030.exe
    "C:\Users\Admin\AppData\Local\Temp\x5182030.exe"
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4643382.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4643382.exe
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
    Filesize

    242KB

    MD5

    8989f700c821326027fe2fe0f49e5377

    SHA1

    42caa5229b3098681604d0ef16959b4bf0bbb4c2

    SHA256

    f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

    SHA512

    2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
    Filesize

    242KB

    MD5

    8989f700c821326027fe2fe0f49e5377

    SHA1

    42caa5229b3098681604d0ef16959b4bf0bbb4c2

    SHA256

    f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

    SHA512

    2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
    Filesize

    242KB

    MD5

    8989f700c821326027fe2fe0f49e5377

    SHA1

    42caa5229b3098681604d0ef16959b4bf0bbb4c2

    SHA256

    f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

    SHA512

    2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4643382.exe
    Filesize

    174KB

    MD5

    1827ae586ad2402dc0adc144a7669594

    SHA1

    7c4c2a6be7c2cb469e0ca47d971957620938edea

    SHA256

    0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

    SHA512

    0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4643382.exe
    Filesize

    174KB

    MD5

    1827ae586ad2402dc0adc144a7669594

    SHA1

    7c4c2a6be7c2cb469e0ca47d971957620938edea

    SHA256

    0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

    SHA512

    0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
    Filesize

    242KB

    MD5

    8989f700c821326027fe2fe0f49e5377

    SHA1

    42caa5229b3098681604d0ef16959b4bf0bbb4c2

    SHA256

    f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

    SHA512

    2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
    Filesize

    242KB

    MD5

    8989f700c821326027fe2fe0f49e5377

    SHA1

    42caa5229b3098681604d0ef16959b4bf0bbb4c2

    SHA256

    f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

    SHA512

    2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g6429604.exe
    Filesize

    242KB

    MD5

    8989f700c821326027fe2fe0f49e5377

    SHA1

    42caa5229b3098681604d0ef16959b4bf0bbb4c2

    SHA256

    f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

    SHA512

    2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\h4643382.exe
    Filesize

    174KB

    MD5

    1827ae586ad2402dc0adc144a7669594

    SHA1

    7c4c2a6be7c2cb469e0ca47d971957620938edea

    SHA256

    0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

    SHA512

    0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\h4643382.exe
    Filesize

    174KB

    MD5

    1827ae586ad2402dc0adc144a7669594

    SHA1

    7c4c2a6be7c2cb469e0ca47d971957620938edea

    SHA256

    0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

    SHA512

    0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

    Download Submit
  • memory/1708-17-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1708-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1708-24-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1708-26-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1708-22-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1708-15-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1708-19-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1708-13-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2364-33-0x0000000000150000-0x0000000000180000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2364-34-0x00000000002E0000-0x00000000002E6000-memory.dmp
    Filesize

    24KB

    Download