Overview

overview

10

Static

static

3

7106d40d17...JC.exe

windows7-x64

10

7106d40d17...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe

  • Size

    753KB

  • MD5

    cd477aac77d7453206b9e984a4444fc3

  • SHA1

    c798de0cf5623a3d7b4beb0e8fa98bb6f32e91b9

  • SHA256

    7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb

  • SHA512

    a9ac3f52f11f0d4c439cbbcf99a864928b5fd4713bc867cc28d33655276e8c853310e7b4d28d99d64bab94377f199b35da24e68d11a0b260a099e1fb583764f8

  • SSDEEP

    12288:qMrYy90EqcrEywjFwiKj1PC4/JTc557oUsiB3yPC/oVSnuFlx1GM7Hzj:eyUOiKFC4BTI57oUEkoVcWvnj

Score
10/10
healerredlinedusadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dusa

C2

83.97.73.127:19045

Attributes
  • auth_value

    ee896466545fedf9de5406175fb82de5

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4952
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:740
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
          4⤵
          • Executes dropped EXE
          PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
    Filesize

    454KB

    MD5

    6a89839bef7babff13f0294d47999d4d

    SHA1

    2440d22d80ac9182bf20a23b7c941d26ef230bec

    SHA256

    3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

    SHA512

    72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
    Filesize

    454KB

    MD5

    6a89839bef7babff13f0294d47999d4d

    SHA1

    2440d22d80ac9182bf20a23b7c941d26ef230bec

    SHA256

    3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

    SHA512

    72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
    Filesize

    282KB

    MD5

    a037743c2a6055e38a8c91b96a57d545

    SHA1

    6257e2ffd34798f5f8d1a3432723dd014d0fe76f

    SHA256

    9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

    SHA512

    b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
    Filesize

    282KB

    MD5

    a037743c2a6055e38a8c91b96a57d545

    SHA1

    6257e2ffd34798f5f8d1a3432723dd014d0fe76f

    SHA256

    9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

    SHA512

    b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
    Filesize

    169KB

    MD5

    57c4bc75f678ff9e333d9554e447766b

    SHA1

    567b479ab59a67fff64ea7be793c55ade1b08137

    SHA256

    e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

    SHA512

    005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
    Filesize

    169KB

    MD5

    57c4bc75f678ff9e333d9554e447766b

    SHA1

    567b479ab59a67fff64ea7be793c55ade1b08137

    SHA256

    e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

    SHA512

    005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
    Filesize

    168KB

    MD5

    08ff3d597c112cef0dacdf77e020d580

    SHA1

    693de4609e08f7626d05c78b848abefa2e83a0df

    SHA256

    c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

    SHA512

    418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
    Filesize

    168KB

    MD5

    08ff3d597c112cef0dacdf77e020d580

    SHA1

    693de4609e08f7626d05c78b848abefa2e83a0df

    SHA256

    c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

    SHA512

    418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

    Download Submit
  • memory/740-23-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/740-45-0x00000000746A0000-0x0000000074E50000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/740-41-0x00000000746A0000-0x0000000074E50000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/740-32-0x00000000746A0000-0x0000000074E50000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2032-33-0x0000000004A10000-0x0000000004A16000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2032-34-0x00000000746A0000-0x0000000074E50000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2032-35-0x0000000005210000-0x0000000005828000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2032-36-0x0000000004D00000-0x0000000004E0A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2032-38-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2032-37-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2032-39-0x0000000004C30000-0x0000000004C6C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2032-40-0x0000000004C70000-0x0000000004CBC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2032-31-0x00000000000F0000-0x000000000011E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2032-42-0x00000000746A0000-0x0000000074E50000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2032-43-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4952-22-0x00000000000A0000-0x00000000001A0000-memory.dmp
    Filesize

    1024KB

    Download