Overview

overview

10

Static

static

3

2ad1213e95...99.exe

windows7-x64

5

2ad1213e95...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ad1213e958dae604444fc34a6386106abb8837e99e32c808bc226ad710af599.exe

  • Size

    1.2MB

  • MD5

    1b8962bc9a8e8e0afa67fc70a6255c48

  • SHA1

    6d43629096cc2b646dab105358385797f1f5a730

  • SHA256

    2ad1213e958dae604444fc34a6386106abb8837e99e32c808bc226ad710af599

  • SHA512

    c4805b94042d3dddcecc064b3d9d1f810cb0df297afbb7ee26b33e83c64cd48342c984cc0793707baf3b972de5767cf872da7a9f285db2245fd41041316ec50d

  • SSDEEP

    24576:0UvRwbo4a0xFJH67sBCJYLW7XpAy+q32kX9VEcboU3Y2tGnwli7:XvRSoM/JaQBC6W7XilqlZ3Y2tCws7

Score
10/10
healerredlineramondropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ad1213e958dae604444fc34a6386106abb8837e99e32c808bc226ad710af599.exe
    "C:\Users\Admin\AppData\Local\Temp\2ad1213e958dae604444fc34a6386106abb8837e99e32c808bc226ad710af599.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0941529.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0941529.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8166257.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8166257.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0773981.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0773981.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7084974.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7084974.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2288
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:784
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2305452.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2305452.exe
              6⤵
              • Executes dropped EXE
              PID:948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0941529.exe
    Filesize

    757KB

    MD5

    04aaf1a31365752cc33544514cb95a2c

    SHA1

    a4f8a57fa75b000c277d128efd79e8e10a16a9a6

    SHA256

    00affaf07c354f0272bd4f0ec157a5d552338a6bea3072a230ab16ce40bd0151

    SHA512

    7217a4956855435f3e3527e9b4afb330bc99931256084d1a67a7e80d3d77848040a625d5287f96e8cd5966de9abc12b54716391e38d7a47ccebed4f8b66659e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0941529.exe
    Filesize

    757KB

    MD5

    04aaf1a31365752cc33544514cb95a2c

    SHA1

    a4f8a57fa75b000c277d128efd79e8e10a16a9a6

    SHA256

    00affaf07c354f0272bd4f0ec157a5d552338a6bea3072a230ab16ce40bd0151

    SHA512

    7217a4956855435f3e3527e9b4afb330bc99931256084d1a67a7e80d3d77848040a625d5287f96e8cd5966de9abc12b54716391e38d7a47ccebed4f8b66659e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8166257.exe
    Filesize

    487KB

    MD5

    32cde146b0c7191e77d245a551d23d14

    SHA1

    626a79d08bfef92a49732255c2741589c1ef2598

    SHA256

    c1a7dc7e7516bafc5d6b789f8d82f101bad1b57bab81a887942d76f616b2b89e

    SHA512

    f57dec6fe6aa791c5547f4027981c8855fe53031bfc7e2e0f5458d54d341e51ba089839c61ad7c56803b78825dfed98a7b906d79878837e321e9da77e775f04c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8166257.exe
    Filesize

    487KB

    MD5

    32cde146b0c7191e77d245a551d23d14

    SHA1

    626a79d08bfef92a49732255c2741589c1ef2598

    SHA256

    c1a7dc7e7516bafc5d6b789f8d82f101bad1b57bab81a887942d76f616b2b89e

    SHA512

    f57dec6fe6aa791c5547f4027981c8855fe53031bfc7e2e0f5458d54d341e51ba089839c61ad7c56803b78825dfed98a7b906d79878837e321e9da77e775f04c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0773981.exe
    Filesize

    321KB

    MD5

    eaa69206b62fae9c3824c36c1d2d528a

    SHA1

    998f16e459b1bc97537183c88b841c23e21ad022

    SHA256

    4608e2ce7cf4ac63cc4269d615c823e9b7b09b1ca2b2acfb92d0bb62ff853c71

    SHA512

    ad70a89c127025453288ac75813bc922103f1b6d572d53c0004b9e24023151beef464e2cdd06a6c6cfe18a2aa64662511ab684e442863327d31df82af2a5269d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0773981.exe
    Filesize

    321KB

    MD5

    eaa69206b62fae9c3824c36c1d2d528a

    SHA1

    998f16e459b1bc97537183c88b841c23e21ad022

    SHA256

    4608e2ce7cf4ac63cc4269d615c823e9b7b09b1ca2b2acfb92d0bb62ff853c71

    SHA512

    ad70a89c127025453288ac75813bc922103f1b6d572d53c0004b9e24023151beef464e2cdd06a6c6cfe18a2aa64662511ab684e442863327d31df82af2a5269d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7084974.exe
    Filesize

    243KB

    MD5

    938832372408a924cfe022f6a5dacfab

    SHA1

    241dad860fcf7ff18e369d549883c539d8c0bb72

    SHA256

    fba97566d7a756b884488f3e446cf1c568b321ffb4ac5455cfb5de32809a0623

    SHA512

    a09e552099bd57d9d0999729d30d0546b9947b6367a441aff32e8fe28045384c1006c0228c6b017561cc72a167330c79fcc490ac975a457fc26f58c39d1a1ba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7084974.exe
    Filesize

    243KB

    MD5

    938832372408a924cfe022f6a5dacfab

    SHA1

    241dad860fcf7ff18e369d549883c539d8c0bb72

    SHA256

    fba97566d7a756b884488f3e446cf1c568b321ffb4ac5455cfb5de32809a0623

    SHA512

    a09e552099bd57d9d0999729d30d0546b9947b6367a441aff32e8fe28045384c1006c0228c6b017561cc72a167330c79fcc490ac975a457fc26f58c39d1a1ba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2305452.exe
    Filesize

    174KB

    MD5

    66a12e902073d6c6897a0b341dfd69af

    SHA1

    cf36200960a19786f57d344131e30530b2784d48

    SHA256

    b5e6c7cdd346de0ffb40befb1a89c993add6e392e2b880b271d613ccaf203658

    SHA512

    3c9561565e5377b168e4e53f5c45dd9e6921e5fd83e098fd19c87f9cf64e9b3b6818736660332b225f46af604cdabddb2248f5f74420e927a8337868a0bbc855

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2305452.exe
    Filesize

    174KB

    MD5

    66a12e902073d6c6897a0b341dfd69af

    SHA1

    cf36200960a19786f57d344131e30530b2784d48

    SHA256

    b5e6c7cdd346de0ffb40befb1a89c993add6e392e2b880b271d613ccaf203658

    SHA512

    3c9561565e5377b168e4e53f5c45dd9e6921e5fd83e098fd19c87f9cf64e9b3b6818736660332b225f46af604cdabddb2248f5f74420e927a8337868a0bbc855

    Download Submit

  • memory/764-46-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/764-2-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/764-1-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/764-0-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/764-3-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/784-32-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/784-50-0x0000000074180000-0x0000000074930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/784-48-0x0000000074180000-0x0000000074930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/784-39-0x0000000074180000-0x0000000074930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/948-36-0x0000000000CE0000-0x0000000000D10000-memory.dmp

    Filesize

    192KB

    Download

  • memory/948-41-0x0000000005870000-0x000000000597A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/948-42-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/948-43-0x00000000057B0000-0x00000000057C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/948-44-0x0000000005810000-0x000000000584C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/948-45-0x0000000005980000-0x00000000059CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/948-40-0x0000000005D00000-0x0000000006318000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/948-47-0x0000000074180000-0x0000000074930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/948-38-0x00000000055C0000-0x00000000055C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/948-37-0x0000000074180000-0x0000000074930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/948-51-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download