Overview

overview

10

Static

static

3

982f1ee50a...AS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    982f1ee50adb5f73ac1c2572177697c0_NEAS.exe

  • Size

    845KB

  • MD5

    982f1ee50adb5f73ac1c2572177697c0

  • SHA1

    8e8a00653260c4291e7db3e8c3a3eb766d44f2c5

  • SHA256

    1187636d6e514eb6a1ebb708504da23f9a3ed6065b30e5bef5531cb485fecb34

  • SHA512

    9d4de83a73eff724cf1621f172a6209ad2b8e71e7b94792703c7ad8004ca597dd42cfe5c1f0b07e1fab289c0b516d02322ef8988062a4294449a7f73a61e1410

  • SSDEEP

    12288:KMryy90ohyzNL/h6I7S7IcpBmfPtJvMTf6uBfR4qqV7E6zczO8dMB0gHh6v0tnLI:MyZg/ZSliLvMzT4uo8kTLJ1GXJvt

Score
10/10
healerredlinemaskdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mask

C2

217.196.96.56:4138

Attributes
  • auth_value

    31aef25be0febb8e491794ef7f502c50

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\982f1ee50adb5f73ac1c2572177697c0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\982f1ee50adb5f73ac1c2572177697c0_NEAS.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7984279.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7984279.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7466960.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7466960.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4856622.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4856622.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1088
            5⤵
            • Program crash
            PID:512
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3244374.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3244374.exe
          4⤵
          • Executes dropped EXE
          PID:1652
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2704 -ip 2704
    1⤵
      PID:3644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7984279.exe
      Filesize

      641KB

      MD5

      d25e2ce5ea9cb520fd36f23c0a6c15c1

      SHA1

      26b249c852ebe86a4691b9be08025d6b2883f2f5

      SHA256

      9e022c43c86ed75b361e6fe91818993d249a25fb7b811084a6d8b50fe40c5750

      SHA512

      1574b5bffbcc308b43f3603466b6888d259a47db8018a57cc28793196b1337ccb80e6be5e8c1e488ee1d664fcfbdd803488ae5ad889764928991f952f8f1c31c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7466960.exe
      Filesize

      382KB

      MD5

      0d12ebdb4204e31ae596570beca05c95

      SHA1

      dab31a9ec3fc3c697d8f05c7a8f53592d2d79109

      SHA256

      8506e4f2b70cebacc87978a1517e70fd9dde742fb508b531910b5f5aa8e04b4d

      SHA512

      378dd9dfd316ce4ae20051a2ebdf6452abe6b9bbec156cb85b34f719682907e39542e6d42ddb64c3815a616cedd0e3770f01f456681a32b1c218b2e15a578266

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4856622.exe
      Filesize

      289KB

      MD5

      96e310c44e12bd61baaa332837c729fd

      SHA1

      427043b6eaf1a567cdca38c6494172c13b4acbbc

      SHA256

      36a82377079e777f3e51be237e5c0cfeb98e6fc92a007883084b2b1addfd3848

      SHA512

      11f7a1244365682dde0e2189b69c4730aa5a1d050701ede3b5ac22ff9c6f67524cdf907c350090666a988ef9dae37831786c7d4a3750afc587c84099e19d1e97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3244374.exe
      Filesize

      168KB

      MD5

      9132bba06b9d0ebfee0e477a3b57cacb

      SHA1

      455f9186839bac0bf606eeb26913dfa66dddc1de

      SHA256

      0395577f64749c2beade133832f8bfa2d2ba4be83218d5033a8a98cc877d97d9

      SHA512

      6d81f1a229f8173ce21e3c25bf2a1fd33e5971e0d82c3806c2d1938d368f31d91b35b0230ff46cbc74073e7934548fcad7856bb6e7e8109549590a875bf7f278

      Download Submit

    • memory/1652-66-0x0000000004CC0000-0x0000000004D0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1652-65-0x0000000004C70000-0x0000000004CAC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1652-64-0x0000000004A00000-0x0000000004A12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1652-63-0x0000000004D40000-0x0000000004E4A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1652-62-0x0000000005250000-0x0000000005868000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1652-61-0x0000000004930000-0x0000000004936000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1652-60-0x0000000000150000-0x0000000000180000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2704-51-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-55-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2704-41-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-39-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-37-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-35-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-33-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-31-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-29-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-27-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-26-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-43-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-56-0x00007FFCB2950000-0x00007FFCB2B45000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2704-45-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-47-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-49-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-53-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2704-25-0x0000000004A30000-0x0000000004A48000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2704-24-0x0000000004B60000-0x0000000005104000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2704-23-0x0000000002030000-0x000000000204A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2704-22-0x00007FFCB2950000-0x00007FFCB2B45000-memory.dmp

      Filesize

      2.0MB

      Download