Overview

overview

10

Static

static

3

x9650930.exe

windows7-x64

10

x9650930.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x9650930.exe

  • Size

    749KB

  • MD5

    aa36b2a1ea43fb2ea6c2b59c6a953e19

  • SHA1

    ce51623a197555c66e99ae00553564dbf5eda79e

  • SHA256

    e2fd97d6bb9c399b161df318ef0ba99bdc8750a8d68a3fafd4b5a93007a6a572

  • SHA512

    0491e62222688cfb81e2cdbbffe93fdd2f6fdde83b21a6d8b220160423389c47fa5fd794c334957c17417fb6b78ed8e3b728041f655f91321ec1e537e036d30c

  • SSDEEP

    12288:0Mrey90oPsICI3tYawgC3H0RtI059O+iI717RnvMe1XpkDev:qyEfI9nQXI59O+P7fnUe1X6Dev

Score
10/10
healerredlinepetindropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

petin

C2

77.91.124.82:19071

Attributes
  • auth_value

    f6cf7a48c0291d1ef5a3440429827d6d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x9650930.exe
    "C:\Users\Admin\AppData\Local\Temp\x9650930.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7332066.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7332066.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8410471.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8410471.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6681924.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6681924.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4140
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4600
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8948845.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8948845.exe
          4⤵
          • Executes dropped EXE
          PID:2552
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7332066.exe
    Filesize

    483KB

    MD5

    590bc1d426c3b912f2d3bb456fca7a19

    SHA1

    8083e25137d2d376296008ac0dd58f0169924069

    SHA256

    961462a7bb55c2a744336e74b2d162db5b015f63af1e1abb1ec30f728f8a625c

    SHA512

    3fc02fcab8efee363f3dd0d991d858cf90e346b335817fb40ba69d8d9d83354c0a526724459893a9d593a67bf5ce0083aac0314bdc87bd341cdd8ea28e297885

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7332066.exe
    Filesize

    483KB

    MD5

    590bc1d426c3b912f2d3bb456fca7a19

    SHA1

    8083e25137d2d376296008ac0dd58f0169924069

    SHA256

    961462a7bb55c2a744336e74b2d162db5b015f63af1e1abb1ec30f728f8a625c

    SHA512

    3fc02fcab8efee363f3dd0d991d858cf90e346b335817fb40ba69d8d9d83354c0a526724459893a9d593a67bf5ce0083aac0314bdc87bd341cdd8ea28e297885

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8410471.exe
    Filesize

    317KB

    MD5

    a1c3e93185c8b185479bd1deccc23c7f

    SHA1

    e31128342dc3ceb9b7bd15cb63d29b0d60c10eeb

    SHA256

    39f35257264634ab31ddf5a69d7dec216fc6c55f8ba6356c663513926e6f6910

    SHA512

    5d4a3faaf0bb2dcda164c0b85108666654fb9a32c65b5ef73f61b4311620146d9ae1e4bf214dc880d6730ab3a12f236dda539c2905a199112571743c2c69a686

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8410471.exe
    Filesize

    317KB

    MD5

    a1c3e93185c8b185479bd1deccc23c7f

    SHA1

    e31128342dc3ceb9b7bd15cb63d29b0d60c10eeb

    SHA256

    39f35257264634ab31ddf5a69d7dec216fc6c55f8ba6356c663513926e6f6910

    SHA512

    5d4a3faaf0bb2dcda164c0b85108666654fb9a32c65b5ef73f61b4311620146d9ae1e4bf214dc880d6730ab3a12f236dda539c2905a199112571743c2c69a686

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6681924.exe
    Filesize

    230KB

    MD5

    363623b3523a6ee74d18ac7327807194

    SHA1

    399ea7f42f1b986698af85f23eabfecebf487844

    SHA256

    7402add3f209f2ef905ebac5ae92a8d5f5c14d83bdcf12af268127507fef365c

    SHA512

    ad88f32c5daf82b1696e24b0fec7fa5d3226ce02f0ba2e301821f2cd9e8eb713d45f86f20c30a0b8d4f280b9d523f991471725b7b3f57ac53e17eaf5357acaab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6681924.exe
    Filesize

    230KB

    MD5

    363623b3523a6ee74d18ac7327807194

    SHA1

    399ea7f42f1b986698af85f23eabfecebf487844

    SHA256

    7402add3f209f2ef905ebac5ae92a8d5f5c14d83bdcf12af268127507fef365c

    SHA512

    ad88f32c5daf82b1696e24b0fec7fa5d3226ce02f0ba2e301821f2cd9e8eb713d45f86f20c30a0b8d4f280b9d523f991471725b7b3f57ac53e17eaf5357acaab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8948845.exe
    Filesize

    174KB

    MD5

    bb3d12d155666469b962cad6f5abbed0

    SHA1

    e7e91770ab81ac717dbd349f3f171ac7934fac89

    SHA256

    bf6c1e6363a3f06ac378d6ad279b0065f9336538156e31f367a1798bcd69c97c

    SHA512

    b0fce1e4bf6d72e3031897ff0897fcb086dc00c07b00ade18f4c3770e77532a360a3247f7f7fe45a21ead60627112377185d4b9aeec2deb25c80ecd7d8ad1444

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8948845.exe
    Filesize

    174KB

    MD5

    bb3d12d155666469b962cad6f5abbed0

    SHA1

    e7e91770ab81ac717dbd349f3f171ac7934fac89

    SHA256

    bf6c1e6363a3f06ac378d6ad279b0065f9336538156e31f367a1798bcd69c97c

    SHA512

    b0fce1e4bf6d72e3031897ff0897fcb086dc00c07b00ade18f4c3770e77532a360a3247f7f7fe45a21ead60627112377185d4b9aeec2deb25c80ecd7d8ad1444

    Download Submit

  • memory/2552-25-0x0000000000840000-0x0000000000870000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2552-31-0x00000000051D0000-0x00000000051E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-39-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-35-0x00000000741F0000-0x00000000749A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-28-0x0000000002AA0000-0x0000000002AA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2552-29-0x00000000057C0000-0x0000000005DD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2552-30-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2552-26-0x00000000741F0000-0x00000000749A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-32-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-33-0x0000000005230000-0x000000000526C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2552-34-0x00000000053C0000-0x000000000540C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4600-27-0x00000000741F0000-0x00000000749A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4600-36-0x00000000741F0000-0x00000000749A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4600-38-0x00000000741F0000-0x00000000749A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4600-21-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download