Overview

overview

10

Static

static

3

x7407766.exe

windows7-x64

10

x7407766.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    185s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x7407766.exe

  • Size

    651KB

  • MD5

    00672371288ace6692655c1466ee9080

  • SHA1

    e71135c985a9f6c0af5e06bd2689733be286e39d

  • SHA256

    3adcea8f6d2f73981a4e747c970e2aec39f7cbbcbe6762e73033bb00f7ec48a4

  • SHA512

    e194221e83097bec50ddcf26cdebbf56440769260bdb3b36d93265b783735fddca36ba43484594b0e063d289d3148bd3476ba881e3c36590078d0cdf730df77d

  • SSDEEP

    12288:ZMrdy90fIb5Lu7aQROboCICicpVhwUaGAQcHxssw9zB3:Ay8+QREVITM0BGBoxE3

Score
10/10
healerredlinebubendropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x7407766.exe
    "C:\Users\Admin\AppData\Local\Temp\x7407766.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8868581.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8868581.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9900190.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9900190.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3256
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 576
          4⤵
          • Program crash
          PID:4920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8946284.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8946284.exe
        3⤵
        • Executes dropped EXE
        PID:4140
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1140 -ip 1140
    1⤵
      PID:1980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8868581.exe
      Filesize

      466KB

      MD5

      55f55a751377f41bd455d308e4f213ec

      SHA1

      ab947d9ec9d3b1a79dbc6def4ca4f30bbc0ab972

      SHA256

      592d6e37ad95d2ea99041a035dc4a1ed21a7d2451cd29272511b015664109c29

      SHA512

      a1bf556cc4dfed949be38008f06d6526e97a5ad4447ebfded11dcf02fa10976ffdcab1093812d1779264fc1a28e0d252ada79329733d2e1ca62fa3aed50e253b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8868581.exe
      Filesize

      466KB

      MD5

      55f55a751377f41bd455d308e4f213ec

      SHA1

      ab947d9ec9d3b1a79dbc6def4ca4f30bbc0ab972

      SHA256

      592d6e37ad95d2ea99041a035dc4a1ed21a7d2451cd29272511b015664109c29

      SHA512

      a1bf556cc4dfed949be38008f06d6526e97a5ad4447ebfded11dcf02fa10976ffdcab1093812d1779264fc1a28e0d252ada79329733d2e1ca62fa3aed50e253b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9900190.exe
      Filesize

      899KB

      MD5

      aa9812a5b19266d0cdd6b2c97b479a97

      SHA1

      e48c0d1ff32152a0e6ecdc5cd326beae7436d811

      SHA256

      5eb4c5a55527440dcda0ba44a4a20ff8e5c3b38405ecefb066b279dcbf34f813

      SHA512

      b6427c7fab95c46bf6d749ed71d40335c6e00b5f14f9afce17edb42c40d62acd02296de3194687cc6b6a77e276d5915a6ef6deacbf646bd853ad92535b6df4af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9900190.exe
      Filesize

      899KB

      MD5

      aa9812a5b19266d0cdd6b2c97b479a97

      SHA1

      e48c0d1ff32152a0e6ecdc5cd326beae7436d811

      SHA256

      5eb4c5a55527440dcda0ba44a4a20ff8e5c3b38405ecefb066b279dcbf34f813

      SHA512

      b6427c7fab95c46bf6d749ed71d40335c6e00b5f14f9afce17edb42c40d62acd02296de3194687cc6b6a77e276d5915a6ef6deacbf646bd853ad92535b6df4af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8946284.exe
      Filesize

      174KB

      MD5

      85c52602579abcafc557dd15d76ed860

      SHA1

      ced3758308d23f9c7b2e9cb24c0dd906d7a4b805

      SHA256

      8cade6e5c239f99df48fb3a1cebf7ffcfa5b9ee61a6b730e105095fc554814c5

      SHA512

      e3baff5d433af02ef4b0037dc708c9711a4ea9c7fd3eb17b64316d8dbafcf8dd74735e8e7c2e24edba6adbd65834720a72676188f5d99788898a94ac1ca990bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8946284.exe
      Filesize

      174KB

      MD5

      85c52602579abcafc557dd15d76ed860

      SHA1

      ced3758308d23f9c7b2e9cb24c0dd906d7a4b805

      SHA256

      8cade6e5c239f99df48fb3a1cebf7ffcfa5b9ee61a6b730e105095fc554814c5

      SHA512

      e3baff5d433af02ef4b0037dc708c9711a4ea9c7fd3eb17b64316d8dbafcf8dd74735e8e7c2e24edba6adbd65834720a72676188f5d99788898a94ac1ca990bc

      Download Submit

    • memory/3256-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3256-15-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3256-16-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3256-18-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4140-22-0x0000000000380000-0x00000000003B0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4140-23-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4140-24-0x0000000004B60000-0x0000000004B66000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4140-25-0x00000000052D0000-0x00000000058E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4140-26-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4140-27-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4140-28-0x0000000004D10000-0x0000000004D22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4140-29-0x0000000004D70000-0x0000000004DAC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4140-30-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4140-31-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4140-32-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

      Filesize

      64KB

      Download