Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    292s
  • max time network
    301s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-09-2023 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x1368633.exe

  • Size

    487KB

  • MD5

    66fc7c0264275bd0d212270b875c36e7

  • SHA1

    9b46dc1c23a4347f203aad5d138c5948918c7b22

  • SHA256

    67984aa804e237aeb7bd79a1441ad49a6e5fc935bf44f324e23b97da314a7331

  • SHA512

    ee46610b5fb07a4e16d152e9631def521192ef09c14d420091c57865a503f7707bff1aa591e410f61aae9d86dd6b9b02612511b80ffc3ddabbeee7ef6a6d64cf

  • SSDEEP

    12288:YMr1y90xn7aNs00TlBbibI7Jb8Fxvi2AJ/lcoh:9ym7acTD+bY8F1i285h

Score
10/10
healerredlineblackdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes
  • auth_value

    c5887216cebc5a219113738140bc3047

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x1368633.exe
    "C:\Users\Admin\AppData\Local\Temp\x1368633.exe"
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7688341.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7688341.exe
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2204807.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2204807.exe
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            PID:4640
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0745430.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0745430.exe
          • Executes dropped EXE
          PID:4472

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7688341.exe
      Filesize

      321KB

      MD5

      6f9fab527e0ccdc98d58ac716181b3c6

      SHA1

      851541e69cd89d0ebba22b0a2fdd63f40e6d723b

      SHA256

      93b183e0975c989bfbe8b579ce5d6e41ea957f4568a83e3ed264b4fc94f2f60b

      SHA512

      eb084cfb876b129a21a40eef6b3aec4ab7ea6bff8f960f8bf205aa1889c5be8ba9b34e301046c94b16e01a0542408be2114229dea1a316ef7f2d5a74ab5acce7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7688341.exe
      Filesize

      321KB

      MD5

      6f9fab527e0ccdc98d58ac716181b3c6

      SHA1

      851541e69cd89d0ebba22b0a2fdd63f40e6d723b

      SHA256

      93b183e0975c989bfbe8b579ce5d6e41ea957f4568a83e3ed264b4fc94f2f60b

      SHA512

      eb084cfb876b129a21a40eef6b3aec4ab7ea6bff8f960f8bf205aa1889c5be8ba9b34e301046c94b16e01a0542408be2114229dea1a316ef7f2d5a74ab5acce7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2204807.exe
      Filesize

      236KB

      MD5

      bd7db8b543d1b8d37a380bace855e6f1

      SHA1

      6bb4a5230f3038cfc4414e36175e399df0123568

      SHA256

      85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b

      SHA512

      bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2204807.exe
      Filesize

      236KB

      MD5

      bd7db8b543d1b8d37a380bace855e6f1

      SHA1

      6bb4a5230f3038cfc4414e36175e399df0123568

      SHA256

      85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b

      SHA512

      bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0745430.exe
      Filesize

      174KB

      MD5

      b0b411456035583fa1873d9e27c80b3f

      SHA1

      b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0

      SHA256

      b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db

      SHA512

      e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0745430.exe
      Filesize

      174KB

      MD5

      b0b411456035583fa1873d9e27c80b3f

      SHA1

      b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0

      SHA256

      b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db

      SHA512

      e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea

      Download Submit
    • memory/1512-22-0x0000000073510000-0x0000000073BFE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/1512-14-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1512-39-0x0000000073510000-0x0000000073BFE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/1512-54-0x0000000073510000-0x0000000073BFE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4472-21-0x0000000073510000-0x0000000073BFE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4472-23-0x00000000006E0000-0x0000000000710000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4472-24-0x0000000002A50000-0x0000000002A56000-memory.dmp
      Filesize

      24KB

      Download
    • memory/4472-25-0x000000000AA30000-0x000000000B036000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4472-26-0x000000000A530000-0x000000000A63A000-memory.dmp
      Filesize

      1MB

      Download
    • memory/4472-27-0x000000000A420000-0x000000000A432000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4472-28-0x000000000A480000-0x000000000A4BE000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4472-29-0x000000000A4D0000-0x000000000A51B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4472-38-0x0000000073510000-0x0000000073BFE000-memory.dmp
      Filesize

      6MB

      Download