Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    291s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-09-2023 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x7688341.exe

  • Size

    321KB

  • MD5

    6f9fab527e0ccdc98d58ac716181b3c6

  • SHA1

    851541e69cd89d0ebba22b0a2fdd63f40e6d723b

  • SHA256

    93b183e0975c989bfbe8b579ce5d6e41ea957f4568a83e3ed264b4fc94f2f60b

  • SHA512

    eb084cfb876b129a21a40eef6b3aec4ab7ea6bff8f960f8bf205aa1889c5be8ba9b34e301046c94b16e01a0542408be2114229dea1a316ef7f2d5a74ab5acce7

  • SSDEEP

    6144:K1y+bnr+gp0yN90QEDkYflZhNry2xFCC1YamoCKJUU+EAwWoR6d028bC:TMrwy90eYfvrN0CIeJ7+FxvW2AC

Score
10/10
healerredlineblackdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes
  • auth_value

    c5887216cebc5a219113738140bc3047

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x7688341.exe
    "C:\Users\Admin\AppData\Local\Temp\x7688341.exe"
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g2204807.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g2204807.exe
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          PID:3392
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4716
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0745430.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0745430.exe
        • Executes dropped EXE
        PID:4228

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g2204807.exe
      Filesize

      236KB

      MD5

      bd7db8b543d1b8d37a380bace855e6f1

      SHA1

      6bb4a5230f3038cfc4414e36175e399df0123568

      SHA256

      85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b

      SHA512

      bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g2204807.exe
      Filesize

      236KB

      MD5

      bd7db8b543d1b8d37a380bace855e6f1

      SHA1

      6bb4a5230f3038cfc4414e36175e399df0123568

      SHA256

      85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b

      SHA512

      bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0745430.exe
      Filesize

      174KB

      MD5

      b0b411456035583fa1873d9e27c80b3f

      SHA1

      b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0

      SHA256

      b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db

      SHA512

      e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0745430.exe
      Filesize

      174KB

      MD5

      b0b411456035583fa1873d9e27c80b3f

      SHA1

      b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0

      SHA256

      b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db

      SHA512

      e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea

      Download Submit
    • memory/4228-17-0x0000000002650000-0x0000000002656000-memory.dmp
      Filesize

      24KB

      Download
    • memory/4228-14-0x0000000000390000-0x00000000003C0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4228-16-0x0000000072EF0000-0x00000000735DE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4228-18-0x000000000A6C0000-0x000000000ACC6000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4228-19-0x000000000A1C0000-0x000000000A2CA000-memory.dmp
      Filesize

      1MB

      Download
    • memory/4228-20-0x000000000A0D0000-0x000000000A0E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4228-23-0x000000000A130000-0x000000000A16E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4228-26-0x000000000A2D0000-0x000000000A31B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4228-32-0x0000000072EF0000-0x00000000735DE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4716-15-0x0000000072EF0000-0x00000000735DE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4716-7-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4716-31-0x0000000072EF0000-0x00000000735DE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/4716-47-0x0000000072EF0000-0x00000000735DE000-memory.dmp
      Filesize

      6MB

      Download