Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 17:12

General

  • Target

    695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe

  • Size

    1.3MB

  • MD5

    d0dd87f1a7fcd9dbd3a316e1a690167f

  • SHA1

    bf77f42ccfe9594ece99a40599b600db759e0766

  • SHA256

    695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823

  • SHA512

    6f13aa9870e76f2be012fa0a38153d9ccd1f73602463655859a1ef3979b3b65a3350bfdea4e838be7bf03672f6903ed34cbd5960ba342058ee35ff9020b06072

  • SSDEEP

    24576:N095JjMnm2djVtOrArfiglVDsI20jRgnfTrQ:N09smKjXKIVDsl06fTrQ

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes
  • auth_value

    c5887216cebc5a219113738140bc3047

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe
    "C:\Users\Admin\AppData\Local\Temp\695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8471280.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8471280.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5354756.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5354756.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1538119.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1538119.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3816
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3933662.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3933662.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3296
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3516
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2959324.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2959324.exe
              6⤵
              • Executes dropped EXE
              PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8471280.exe

    Filesize

    767KB

    MD5

    6bb04ebd1f238d9f3de21e8514e29849

    SHA1

    949b27abed974db347a48b3c0685453d72cd56cb

    SHA256

    3e49fe1be803556e0bd8467859df590118c682bc7fac9d0efe1df5c37d864920

    SHA512

    3d47c8a5179ec685da7d136733e6337c5ca0c9cd2a8c43291e839877cde470213f46461b5c797f4f47c2ea3c3d7af590a5c721b5b6fefebb4b628db4f284bd7e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8471280.exe

    Filesize

    767KB

    MD5

    6bb04ebd1f238d9f3de21e8514e29849

    SHA1

    949b27abed974db347a48b3c0685453d72cd56cb

    SHA256

    3e49fe1be803556e0bd8467859df590118c682bc7fac9d0efe1df5c37d864920

    SHA512

    3d47c8a5179ec685da7d136733e6337c5ca0c9cd2a8c43291e839877cde470213f46461b5c797f4f47c2ea3c3d7af590a5c721b5b6fefebb4b628db4f284bd7e

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5354756.exe

    Filesize

    492KB

    MD5

    b18dbfd9418c7ad4f5abc02b6b6dbb0b

    SHA1

    4d5d2c2a76a2235bb65d50217f113e34b0c5f7c2

    SHA256

    70732f96273df0c4fc9b8614f19b10ca231968dceb28d378b3149f29031d3455

    SHA512

    2abdfbb3a10474f39765f7c4754714874845e78cbb9a2d4f666aadbc0fc74621d9e27495944e525a828de3cba3074693e5bf741ff70af1e05e31d3d0bdfb762a

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5354756.exe

    Filesize

    492KB

    MD5

    b18dbfd9418c7ad4f5abc02b6b6dbb0b

    SHA1

    4d5d2c2a76a2235bb65d50217f113e34b0c5f7c2

    SHA256

    70732f96273df0c4fc9b8614f19b10ca231968dceb28d378b3149f29031d3455

    SHA512

    2abdfbb3a10474f39765f7c4754714874845e78cbb9a2d4f666aadbc0fc74621d9e27495944e525a828de3cba3074693e5bf741ff70af1e05e31d3d0bdfb762a

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1538119.exe

    Filesize

    326KB

    MD5

    7bb693af38105685ff4351c9da2511d0

    SHA1

    c53319a611f8b0340d8a5c5ac9b70b72cb38afde

    SHA256

    73b8cd3245ac887ae5fa58cbcaa9249149ee4b83f1b239c12de26285d2b25182

    SHA512

    d5442cda8dba523c033db279ea96164f459873999dc6a93a718de139c323b7a58e7c3766ecf9c7ba6bfd92e685f2e638acd4c9f84941aacbb63765b5cd49cdd5

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1538119.exe

    Filesize

    326KB

    MD5

    7bb693af38105685ff4351c9da2511d0

    SHA1

    c53319a611f8b0340d8a5c5ac9b70b72cb38afde

    SHA256

    73b8cd3245ac887ae5fa58cbcaa9249149ee4b83f1b239c12de26285d2b25182

    SHA512

    d5442cda8dba523c033db279ea96164f459873999dc6a93a718de139c323b7a58e7c3766ecf9c7ba6bfd92e685f2e638acd4c9f84941aacbb63765b5cd49cdd5

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3933662.exe

    Filesize

    242KB

    MD5

    2411c69af1fcfc0e3e3b54c0c48886bf

    SHA1

    5ff340978dc9a08d099649073d3e73e5b89bb9d1

    SHA256

    b08ce1fffba9d5f6f61e5269dfa01b61237cf61234ad26d9c29aa3b471b65ba8

    SHA512

    24466931ad6bd9e4b4b4d5901f750746a6c50e048667a8171d9943a8126c23ea971008c448dd5417c21350ae05181889e4f26e9a6b1fec47264df85dd2a7147f

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3933662.exe

    Filesize

    242KB

    MD5

    2411c69af1fcfc0e3e3b54c0c48886bf

    SHA1

    5ff340978dc9a08d099649073d3e73e5b89bb9d1

    SHA256

    b08ce1fffba9d5f6f61e5269dfa01b61237cf61234ad26d9c29aa3b471b65ba8

    SHA512

    24466931ad6bd9e4b4b4d5901f750746a6c50e048667a8171d9943a8126c23ea971008c448dd5417c21350ae05181889e4f26e9a6b1fec47264df85dd2a7147f

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2959324.exe

    Filesize

    174KB

    MD5

    e1f844f615cf5be9ea04cf80c051efff

    SHA1

    ee651a891d8e9ba3edfd12780a0823f1e8f0a9ca

    SHA256

    9c93d09d0a0f13e5464092d022a8af86fa3520dd42f07cc36d14420b1e8ca2cf

    SHA512

    9fd83f05cbbdc76203d244adf546f26d9bf864df81da899f5713e7a9ffa82e204672eaf9b41f94ac5c886aab91026a8b3dbfbff54b0b734f9f6897929e705f12

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2959324.exe

    Filesize

    174KB

    MD5

    e1f844f615cf5be9ea04cf80c051efff

    SHA1

    ee651a891d8e9ba3edfd12780a0823f1e8f0a9ca

    SHA256

    9c93d09d0a0f13e5464092d022a8af86fa3520dd42f07cc36d14420b1e8ca2cf

    SHA512

    9fd83f05cbbdc76203d244adf546f26d9bf864df81da899f5713e7a9ffa82e204672eaf9b41f94ac5c886aab91026a8b3dbfbff54b0b734f9f6897929e705f12

  • memory/1604-2-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

  • memory/1604-1-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

  • memory/1604-3-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

  • memory/1604-34-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

  • memory/1604-0-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

  • memory/1644-40-0x0000000002460000-0x0000000002466000-memory.dmp

    Filesize

    24KB

  • memory/1644-47-0x0000000004DE0000-0x0000000004E2C000-memory.dmp

    Filesize

    304KB

  • memory/1644-39-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

  • memory/1644-52-0x0000000002480000-0x0000000002490000-memory.dmp

    Filesize

    64KB

  • memory/1644-48-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

  • memory/1644-42-0x00000000051E0000-0x00000000057F8000-memory.dmp

    Filesize

    6.1MB

  • memory/1644-43-0x0000000004CD0000-0x0000000004DDA000-memory.dmp

    Filesize

    1.0MB

  • memory/1644-45-0x0000000002480000-0x0000000002490000-memory.dmp

    Filesize

    64KB

  • memory/1644-44-0x0000000004C00000-0x0000000004C12000-memory.dmp

    Filesize

    72KB

  • memory/1644-46-0x0000000004C60000-0x0000000004C9C000-memory.dmp

    Filesize

    240KB

  • memory/1644-38-0x0000000000130000-0x0000000000160000-memory.dmp

    Filesize

    192KB

  • memory/3516-33-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/3516-49-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

  • memory/3516-51-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

  • memory/3516-41-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB