Analysis

  • max time kernel
    131s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2023 05:03

General

  • Target

    5c136368bf616d730e04cfd782541a51e2829d979d7172d7ba8460905636de05.exe

  • Size

    1.2MB

  • MD5

    9a1a2765083eca5ad84b55cc69c3c5f2

  • SHA1

    923e7e88c35f82d3d3f816f751f60ff24678d77e

  • SHA256

    5c136368bf616d730e04cfd782541a51e2829d979d7172d7ba8460905636de05

  • SHA512

    3368d5396574ef5e6141e392fde091e6f4e17f85cbb3534b1dafee1a88b7532cc1171382816a498580767673b19b4f052928dd6fa17092bc6545bcb0836b7a11

  • SSDEEP

    24576:s9q+VIeKGaDNLcB9oHcxdgny6Qvid+flk5n+h7Og5TmU/lLkJABp723wG:gq+VIejYBcB94yXiQlE+hiCT9l4GXNG

Malware Config

Extracted

Family

redline

Botnet

petin

C2

77.91.124.82:19071

Attributes
  • auth_value

    f6cf7a48c0291d1ef5a3440429827d6d

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c136368bf616d730e04cfd782541a51e2829d979d7172d7ba8460905636de05.exe
    "C:\Users\Admin\AppData\Local\Temp\5c136368bf616d730e04cfd782541a51e2829d979d7172d7ba8460905636de05.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5535877.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5535877.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3996460.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3996460.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603686.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603686.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2508
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:2512
              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2122824.exe
                C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2122824.exe
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:3004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5535877.exe

      Filesize

      744KB

      MD5

      e46090ce4b96691fe9d8c14003cefcc3

      SHA1

      f14a794c8881cb4cb43f3f783d94a422661f5368

      SHA256

      0ee85d3a8817690c32477c32d474c1126cc43d85fd137984281dd78f1980fbcc

      SHA512

      d8a039c562f9dfa000feb5639a52c7ba7490374b87c699116e2091c6632e1e5909e76f7b779fa47b216f6d8655487b5cf498cb33ba92902791c592c260457083

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5535877.exe

      Filesize

      744KB

      MD5

      e46090ce4b96691fe9d8c14003cefcc3

      SHA1

      f14a794c8881cb4cb43f3f783d94a422661f5368

      SHA256

      0ee85d3a8817690c32477c32d474c1126cc43d85fd137984281dd78f1980fbcc

      SHA512

      d8a039c562f9dfa000feb5639a52c7ba7490374b87c699116e2091c6632e1e5909e76f7b779fa47b216f6d8655487b5cf498cb33ba92902791c592c260457083

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3996460.exe

      Filesize

      480KB

      MD5

      38664e8751da799c4ac206f73a7228ae

      SHA1

      1126bfdbda9095ba8a46faf064c99d46dd371545

      SHA256

      3ad6bddfa30f8b8693d7a267a1c75fd0927fa1ff7f3a3f1cfa580d228618e1ec

      SHA512

      c01213f53186522f264c11c438d7fd46747fe404ba1aec13e8be77a78e7a64fb4152bc52133c5ef18a0f4f2637972b39097767da6b33c6f1d64bb1e55c00aa2e

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3996460.exe

      Filesize

      480KB

      MD5

      38664e8751da799c4ac206f73a7228ae

      SHA1

      1126bfdbda9095ba8a46faf064c99d46dd371545

      SHA256

      3ad6bddfa30f8b8693d7a267a1c75fd0927fa1ff7f3a3f1cfa580d228618e1ec

      SHA512

      c01213f53186522f264c11c438d7fd46747fe404ba1aec13e8be77a78e7a64fb4152bc52133c5ef18a0f4f2637972b39097767da6b33c6f1d64bb1e55c00aa2e

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603686.exe

      Filesize

      314KB

      MD5

      a1554687fcebcd6f6df5fb09fe8866a7

      SHA1

      1589fb55b1e57b462d1f27e9c1b585d6dc3458e3

      SHA256

      4b3e3da136425d8b15c2b4df7fd4db20a6fcf099ebdf3a1476c1082ea7312d31

      SHA512

      255cd1be425c1e7f157d3ef1b13259b7e9e6eb373cf37f98eff64a0928f40a95378978366088cbb9d6f45dd866e343a3746e6320b61fe2fbe464438579c34488

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603686.exe

      Filesize

      314KB

      MD5

      a1554687fcebcd6f6df5fb09fe8866a7

      SHA1

      1589fb55b1e57b462d1f27e9c1b585d6dc3458e3

      SHA256

      4b3e3da136425d8b15c2b4df7fd4db20a6fcf099ebdf3a1476c1082ea7312d31

      SHA512

      255cd1be425c1e7f157d3ef1b13259b7e9e6eb373cf37f98eff64a0928f40a95378978366088cbb9d6f45dd866e343a3746e6320b61fe2fbe464438579c34488

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe

      Filesize

      229KB

      MD5

      fac59049749bbe3f99294a01485fdc1d

      SHA1

      2a59a025594e6b663e0bfaa1921ab4837b0b0f5b

      SHA256

      93fc547d9e2abb9f2c8508821cb9ca2415bd6f5d62b0c9061c0dad1e0f8358f6

      SHA512

      7a0ce9ac03540e165fb2a8b9a6e8314f700c8fdecc68ecc7814b60b9875f1232450488608f14acc1df835cc1765af234d3187068f74f4a30d4ad25fc38a1fc00

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe

      Filesize

      229KB

      MD5

      fac59049749bbe3f99294a01485fdc1d

      SHA1

      2a59a025594e6b663e0bfaa1921ab4837b0b0f5b

      SHA256

      93fc547d9e2abb9f2c8508821cb9ca2415bd6f5d62b0c9061c0dad1e0f8358f6

      SHA512

      7a0ce9ac03540e165fb2a8b9a6e8314f700c8fdecc68ecc7814b60b9875f1232450488608f14acc1df835cc1765af234d3187068f74f4a30d4ad25fc38a1fc00

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe

      Filesize

      229KB

      MD5

      fac59049749bbe3f99294a01485fdc1d

      SHA1

      2a59a025594e6b663e0bfaa1921ab4837b0b0f5b

      SHA256

      93fc547d9e2abb9f2c8508821cb9ca2415bd6f5d62b0c9061c0dad1e0f8358f6

      SHA512

      7a0ce9ac03540e165fb2a8b9a6e8314f700c8fdecc68ecc7814b60b9875f1232450488608f14acc1df835cc1765af234d3187068f74f4a30d4ad25fc38a1fc00

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2122824.exe

      Filesize

      174KB

      MD5

      ce7c76315f535be257bdb9c19765af5c

      SHA1

      f39271b1441f565c3c24af4e7bf0c0a449cfc89a

      SHA256

      a7c9beaaad041fdd50996f7212356156b564ed85d956c496452c8c0913072472

      SHA512

      5409c0216cdf99b7c00b92764903507770ecd21225b0c5de4a89d7f96fc590441cf84fc830c644c462d899cd838b2cfefba3894876245b208d73bd153b90994c

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2122824.exe

      Filesize

      174KB

      MD5

      ce7c76315f535be257bdb9c19765af5c

      SHA1

      f39271b1441f565c3c24af4e7bf0c0a449cfc89a

      SHA256

      a7c9beaaad041fdd50996f7212356156b564ed85d956c496452c8c0913072472

      SHA512

      5409c0216cdf99b7c00b92764903507770ecd21225b0c5de4a89d7f96fc590441cf84fc830c644c462d899cd838b2cfefba3894876245b208d73bd153b90994c

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\x5535877.exe

      Filesize

      744KB

      MD5

      e46090ce4b96691fe9d8c14003cefcc3

      SHA1

      f14a794c8881cb4cb43f3f783d94a422661f5368

      SHA256

      0ee85d3a8817690c32477c32d474c1126cc43d85fd137984281dd78f1980fbcc

      SHA512

      d8a039c562f9dfa000feb5639a52c7ba7490374b87c699116e2091c6632e1e5909e76f7b779fa47b216f6d8655487b5cf498cb33ba92902791c592c260457083

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\x5535877.exe

      Filesize

      744KB

      MD5

      e46090ce4b96691fe9d8c14003cefcc3

      SHA1

      f14a794c8881cb4cb43f3f783d94a422661f5368

      SHA256

      0ee85d3a8817690c32477c32d474c1126cc43d85fd137984281dd78f1980fbcc

      SHA512

      d8a039c562f9dfa000feb5639a52c7ba7490374b87c699116e2091c6632e1e5909e76f7b779fa47b216f6d8655487b5cf498cb33ba92902791c592c260457083

    • \Users\Admin\AppData\Local\Temp\IXP001.TMP\x3996460.exe

      Filesize

      480KB

      MD5

      38664e8751da799c4ac206f73a7228ae

      SHA1

      1126bfdbda9095ba8a46faf064c99d46dd371545

      SHA256

      3ad6bddfa30f8b8693d7a267a1c75fd0927fa1ff7f3a3f1cfa580d228618e1ec

      SHA512

      c01213f53186522f264c11c438d7fd46747fe404ba1aec13e8be77a78e7a64fb4152bc52133c5ef18a0f4f2637972b39097767da6b33c6f1d64bb1e55c00aa2e

    • \Users\Admin\AppData\Local\Temp\IXP001.TMP\x3996460.exe

      Filesize

      480KB

      MD5

      38664e8751da799c4ac206f73a7228ae

      SHA1

      1126bfdbda9095ba8a46faf064c99d46dd371545

      SHA256

      3ad6bddfa30f8b8693d7a267a1c75fd0927fa1ff7f3a3f1cfa580d228618e1ec

      SHA512

      c01213f53186522f264c11c438d7fd46747fe404ba1aec13e8be77a78e7a64fb4152bc52133c5ef18a0f4f2637972b39097767da6b33c6f1d64bb1e55c00aa2e

    • \Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603686.exe

      Filesize

      314KB

      MD5

      a1554687fcebcd6f6df5fb09fe8866a7

      SHA1

      1589fb55b1e57b462d1f27e9c1b585d6dc3458e3

      SHA256

      4b3e3da136425d8b15c2b4df7fd4db20a6fcf099ebdf3a1476c1082ea7312d31

      SHA512

      255cd1be425c1e7f157d3ef1b13259b7e9e6eb373cf37f98eff64a0928f40a95378978366088cbb9d6f45dd866e343a3746e6320b61fe2fbe464438579c34488

    • \Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603686.exe

      Filesize

      314KB

      MD5

      a1554687fcebcd6f6df5fb09fe8866a7

      SHA1

      1589fb55b1e57b462d1f27e9c1b585d6dc3458e3

      SHA256

      4b3e3da136425d8b15c2b4df7fd4db20a6fcf099ebdf3a1476c1082ea7312d31

      SHA512

      255cd1be425c1e7f157d3ef1b13259b7e9e6eb373cf37f98eff64a0928f40a95378978366088cbb9d6f45dd866e343a3746e6320b61fe2fbe464438579c34488

    • \Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe

      Filesize

      229KB

      MD5

      fac59049749bbe3f99294a01485fdc1d

      SHA1

      2a59a025594e6b663e0bfaa1921ab4837b0b0f5b

      SHA256

      93fc547d9e2abb9f2c8508821cb9ca2415bd6f5d62b0c9061c0dad1e0f8358f6

      SHA512

      7a0ce9ac03540e165fb2a8b9a6e8314f700c8fdecc68ecc7814b60b9875f1232450488608f14acc1df835cc1765af234d3187068f74f4a30d4ad25fc38a1fc00

    • \Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe

      Filesize

      229KB

      MD5

      fac59049749bbe3f99294a01485fdc1d

      SHA1

      2a59a025594e6b663e0bfaa1921ab4837b0b0f5b

      SHA256

      93fc547d9e2abb9f2c8508821cb9ca2415bd6f5d62b0c9061c0dad1e0f8358f6

      SHA512

      7a0ce9ac03540e165fb2a8b9a6e8314f700c8fdecc68ecc7814b60b9875f1232450488608f14acc1df835cc1765af234d3187068f74f4a30d4ad25fc38a1fc00

    • \Users\Admin\AppData\Local\Temp\IXP003.TMP\g6580631.exe

      Filesize

      229KB

      MD5

      fac59049749bbe3f99294a01485fdc1d

      SHA1

      2a59a025594e6b663e0bfaa1921ab4837b0b0f5b

      SHA256

      93fc547d9e2abb9f2c8508821cb9ca2415bd6f5d62b0c9061c0dad1e0f8358f6

      SHA512

      7a0ce9ac03540e165fb2a8b9a6e8314f700c8fdecc68ecc7814b60b9875f1232450488608f14acc1df835cc1765af234d3187068f74f4a30d4ad25fc38a1fc00

    • \Users\Admin\AppData\Local\Temp\IXP003.TMP\h2122824.exe

      Filesize

      174KB

      MD5

      ce7c76315f535be257bdb9c19765af5c

      SHA1

      f39271b1441f565c3c24af4e7bf0c0a449cfc89a

      SHA256

      a7c9beaaad041fdd50996f7212356156b564ed85d956c496452c8c0913072472

      SHA512

      5409c0216cdf99b7c00b92764903507770ecd21225b0c5de4a89d7f96fc590441cf84fc830c644c462d899cd838b2cfefba3894876245b208d73bd153b90994c

    • \Users\Admin\AppData\Local\Temp\IXP003.TMP\h2122824.exe

      Filesize

      174KB

      MD5

      ce7c76315f535be257bdb9c19765af5c

      SHA1

      f39271b1441f565c3c24af4e7bf0c0a449cfc89a

      SHA256

      a7c9beaaad041fdd50996f7212356156b564ed85d956c496452c8c0913072472

      SHA512

      5409c0216cdf99b7c00b92764903507770ecd21225b0c5de4a89d7f96fc590441cf84fc830c644c462d899cd838b2cfefba3894876245b208d73bd153b90994c

    • memory/1992-16-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-10-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-2-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-17-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-0-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/1992-14-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-8-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-12-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-4-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-79-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/1992-6-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

    • memory/2508-70-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/2508-68-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/2508-66-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/2508-65-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/2508-63-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/2508-62-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/2508-61-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/2508-64-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/3004-77-0x0000000000E50000-0x0000000000E80000-memory.dmp

      Filesize

      192KB

    • memory/3004-78-0x00000000003B0000-0x00000000003B6000-memory.dmp

      Filesize

      24KB