Overview

overview

10

Static

static

3

27efa43e16...c1.exe

windows10-2004-x64

10

2fd7c050fb...83.exe

windows10-2004-x64

10

31714e287a...59.exe

windows10-2004-x64

10

4663b4277c...a5.exe

windows10-2004-x64

10

4ef1a0149d...77.exe

windows10-2004-x64

10

55de348478...bf.exe

windows10-2004-x64

10

62e08aa290...71.exe

windows10-2004-x64

10

7c2b1a4696...86.exe

windows10-2004-x64

10

9712f3ca55...1a.exe

windows10-2004-x64

10

a2578cb8fe...19.exe

windows10-2004-x64

10

a2e15ecbc2...3e.exe

windows10-2004-x64

10

bc1039ea1a...c2.exe

windows10-2004-x64

10

c7a4524e38...ae.exe

windows10-2004-x64

10

f47fb04ed8...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1.exe

  • Size

    1.2MB

  • MD5

    861cdcff71d268dee3580d2ce333ac09

  • SHA1

    94be6d1757a7ab5c0d5ebd464cafb71bc1c5d33d

  • SHA256

    27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1

  • SHA512

    b2e905338edbaaf101bd94b91c801972ff30f49a8f0f4740c67faa7e8d3c2be243d0883cec424f9db46bbf7b403ae72b5a6e3201d0861093e9084e920a9f1581

  • SSDEEP

    24576:ayE5p8ogugja8IT5+YVQ0SVU97kNQ7hDtYT:hwZgja8G5+k79ANQlDtY

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1.exe
    "C:\Users\Admin\AppData\Local\Temp\27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4706679.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4706679.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4373698.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4373698.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5824928.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5824928.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6920833.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6920833.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3216
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5662532.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5662532.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3700
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9621859.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9621859.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1420
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2955605.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2955605.exe
            5⤵
            • Executes dropped EXE
            PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4706679.exe
    Filesize

    1.0MB

    MD5

    d99c9e8014fd98a5853bb0080066e936

    SHA1

    e237506f5dafe36d584654d17a9d89789e49abbc

    SHA256

    7eef2bc77210dfb371441f3047d2846eab00efa17776e8dd2174dc6cfcc22651

    SHA512

    f0d38b9baae2e87de9c0d0445c7aca43721cd1ff8a37ca8b56a7641cf09e9b1d08a15f83d2750f7c56c6b6e85f44d491d559cf91004102b66910561ba0e02f76

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4373698.exe
    Filesize

    907KB

    MD5

    f6d64813192fad614a257adbf420648b

    SHA1

    71fbc5cf4b03d9835ccf416f6ac9e3c87d023021

    SHA256

    c9efc07dc3d1de7d09ef98482efbab50d57d8536b9e046b68e6390bfa840f5bb

    SHA512

    73c5accc42fc873a26095b0468918d98cf8d5761229903fc08c02008d836bbf84ca89f0c7f3a494138c33e2fd173a57e0437be4f9a5d548071fec946f35afd6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5824928.exe
    Filesize

    724KB

    MD5

    b961bbd078d1fe381fcbc28cf386e581

    SHA1

    cb07ff1e265bf9b3981407b19a3a3b5b6d6f4118

    SHA256

    934e3940690b574644d70bfc00cc2145298402b2db4c227d4ce50a3b4e38b33b

    SHA512

    054e1a710393e2d8943969768b0e0d740eccfa67f011aa70a45b94df493c51693f20f5fff89d985f105ae154a8fc0d0a530d2ef997d514169ebc3bcf1243b4da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2955605.exe
    Filesize

    492KB

    MD5

    ac523d21c55d2d2644043c53e75c55f2

    SHA1

    eef365e4a038081b448ca57c1a62442a91337922

    SHA256

    568f3c159a41a0e2bc796dae311399b219263b9cf560c8ee35097e5f82c4a9fd

    SHA512

    0b0f50e108d2a732745b3613fc578d3883747a71b147725db977122e9b9fa52ce56e29ba5b6300da237d7f6e414b4c8b7a4ef296b2539b6e266764a4b1947672

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6920833.exe
    Filesize

    326KB

    MD5

    7fe7107090dd0b3d88aedc6546e1cc4e

    SHA1

    47b7e6e0362bcfbeba92920c9d2a97d2d91464e8

    SHA256

    cd505eae50fdf3b4cdf9ca2e8cd92aa71083e5f5f8a5fabdfdffd29a18688182

    SHA512

    11e173dfe65c8594f3fe5095eb0f27115c0048bf6341c09a771234ca5e346dee102fada41f4ec80da3460371e121e12fedacb63547ffc46b6a3fd7d0e068a8b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5662532.exe
    Filesize

    295KB

    MD5

    7b9509824ecbc98098a72bd9f82255ef

    SHA1

    66b515d756229e615b8c0b3cac95e8189589f4d4

    SHA256

    937c45336dcd8317bbc60a49b4664044624e1090feeb6d64bca4a62d29e825ab

    SHA512

    cec8b69950b259f484f61b63c6300ccfaf2d95daf8a791613514b90dc80a766bf6aae4662555382a0892534b1f0774d0e5794aadb13d78e83f4b049d590287dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9621859.exe
    Filesize

    11KB

    MD5

    4bd6694914cb2de0d5e4a1cc0b1c1f74

    SHA1

    2f5ad161de0a4735376060d4bac8c58fe8b7107d

    SHA256

    97fe71d12da003907a0b02de0940a32851e8a7052cf5b4070643cc8c136c7408

    SHA512

    54104ccf23ec91c77552527d5e279d8831c83ec5a829a6af5446c49198cefe8c7edc5ffcc97b7cbdff86e3f5925d94966206d3d1c284766c4ed92ecb4b951043

    Download Submit

  • memory/1420-48-0x0000000000B50000-0x0000000000B5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1948-63-0x0000000009FA0000-0x000000000A5B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1948-53-0x0000000000950000-0x00000000009DC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1948-60-0x0000000000950000-0x00000000009DC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1948-62-0x00000000023E0000-0x00000000023E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1948-64-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-65-0x0000000006CF0000-0x0000000006D02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1948-66-0x000000000A6D0000-0x000000000A70C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1948-67-0x0000000006A00000-0x0000000006A4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3700-42-0x00000000021F0000-0x00000000021F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3700-41-0x0000000000490000-0x00000000004CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3700-35-0x0000000000490000-0x00000000004CE000-memory.dmp

    Filesize

    248KB

    Download