Overview

overview

10

Static

static

3

x7652216.exe

windows7-x64

10

x7652216.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x7652216.exe

  • Size

    650KB

  • MD5

    e4930d0402626380a49a84ff8a8b263e

  • SHA1

    a0b45408d1f9f7358605e7c44f809c5c8635fb91

  • SHA256

    bd8b8e72d230aac3d91cad7dd03ebce1c0910c62743c651af955373a76a724d8

  • SHA512

    2064461cfa0e92fbcd82d22cff46d7434c3f19ecf1adb5544560e3edec8d9d29c1889b90e0debb5fb771e8b7262ffc18ced0ff1ba439b41abde41f1e7fa61fdc

  • SSDEEP

    12288:pMrgy903SmNF9AGtXLrrNeFDZ+oEY3SnAXgypsudbcamgd:dyrmHyGtLrpeFZVSGgy/bcamgd

Score
10/10
healerredlinevashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes
  • auth_value

    42fc61786274daca54d589b85a2c1954

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x7652216.exe
    "C:\Users\Admin\AppData\Local\Temp\x7652216.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2028485.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2028485.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9158772.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9158772.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4540
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 156
          4⤵
          • Program crash
          PID:2036
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8768023.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8768023.exe
        3⤵
        • Executes dropped EXE
        PID:3808
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1936 -ip 1936
    1⤵
      PID:1888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2028485.exe
      Filesize

      465KB

      MD5

      81d2d11c5d134859f6112c984f14c25c

      SHA1

      399c1cb6eef99777d9a7a5edf33d759cd05144e7

      SHA256

      f4282ae1b5c5224f999f4e5e1d5bf25bae5b95999f289ff76014ccc69c5004f9

      SHA512

      92ff065195ffb2ad0e94aeb2dd5ab2cbe04a32672545a48d8e584a5f9b38f7406f0822fc93b4240d10c0c68413cbb5edc036d085cd66c72a233d2dc8b875ade3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2028485.exe
      Filesize

      465KB

      MD5

      81d2d11c5d134859f6112c984f14c25c

      SHA1

      399c1cb6eef99777d9a7a5edf33d759cd05144e7

      SHA256

      f4282ae1b5c5224f999f4e5e1d5bf25bae5b95999f289ff76014ccc69c5004f9

      SHA512

      92ff065195ffb2ad0e94aeb2dd5ab2cbe04a32672545a48d8e584a5f9b38f7406f0822fc93b4240d10c0c68413cbb5edc036d085cd66c72a233d2dc8b875ade3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9158772.exe
      Filesize

      899KB

      MD5

      297df662d819bd3a7cafc846c2d57e93

      SHA1

      2554f1194ec93678fe0c1216ce376deacd4f0cf3

      SHA256

      fa7db054bba0b8f955be25c8f2735e3b443e02243ddb933492a95aa2e6befdda

      SHA512

      a44ee58d3a959170bdcef512e366f73af0c2a7b3a09226811acda16e441a8d465e5db9b27f609b00d97937e96debe610e49b2fdd517efe80bd9d8a3e3e6e2838

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9158772.exe
      Filesize

      899KB

      MD5

      297df662d819bd3a7cafc846c2d57e93

      SHA1

      2554f1194ec93678fe0c1216ce376deacd4f0cf3

      SHA256

      fa7db054bba0b8f955be25c8f2735e3b443e02243ddb933492a95aa2e6befdda

      SHA512

      a44ee58d3a959170bdcef512e366f73af0c2a7b3a09226811acda16e441a8d465e5db9b27f609b00d97937e96debe610e49b2fdd517efe80bd9d8a3e3e6e2838

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8768023.exe
      Filesize

      174KB

      MD5

      b6749d33678dc433c2b940c1c10d2ed6

      SHA1

      24d3e6fcadccf027f194e459d266c8b08db6681f

      SHA256

      5a74bc3572bee60d4efc113a7d3412f7e98a0df1873b1d5458b81fbf93041825

      SHA512

      5d2fd66129c8fc7f546f79913c969c8dcaab569eee0aec54964fe04c4f5d22b9babf70875574c0ee67f869b941681a6f1b6e97e73c512b6e35b5a6bfba8795d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8768023.exe
      Filesize

      174KB

      MD5

      b6749d33678dc433c2b940c1c10d2ed6

      SHA1

      24d3e6fcadccf027f194e459d266c8b08db6681f

      SHA256

      5a74bc3572bee60d4efc113a7d3412f7e98a0df1873b1d5458b81fbf93041825

      SHA512

      5d2fd66129c8fc7f546f79913c969c8dcaab569eee0aec54964fe04c4f5d22b9babf70875574c0ee67f869b941681a6f1b6e97e73c512b6e35b5a6bfba8795d7

      Download Submit

    • memory/3808-21-0x0000000000FC0000-0x0000000000FF0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3808-31-0x0000000005C60000-0x0000000005CAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3808-28-0x0000000005810000-0x0000000005820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-22-0x00000000748B0000-0x0000000075060000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3808-30-0x0000000005AF0000-0x0000000005B2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3808-32-0x0000000005810000-0x0000000005820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-24-0x0000000001730000-0x0000000001736000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3808-25-0x00000000748B0000-0x0000000075060000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3808-26-0x0000000006040000-0x0000000006658000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3808-27-0x0000000005B50000-0x0000000005C5A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3808-29-0x0000000005A90000-0x0000000005AA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4540-15-0x00000000748B0000-0x0000000075060000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4540-23-0x00000000748B0000-0x0000000075060000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4540-16-0x00000000748B0000-0x0000000075060000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4540-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download