Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 10:51 UTC

General

  • Target

    4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe

  • Size

    921KB

  • MD5

    806e422c72778033c5ab84a122ee219d

  • SHA1

    2a82b3feba5337f550d857fdd39290c1edbeaaff

  • SHA256

    4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986

  • SHA512

    ac7a914896275cd09d64faee9eb7259f370f58845dd50b5ddfcd139296e57aedf457eec534d6498c0a0b67266a1c9b07c222bba27d65aee1304dba7a16b880eb

  • SSDEEP

    24576:lyxIBM9mCnbl4MASk1HCUvk9gY6gmZw76pr:AxASDx7HzHy

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe
    "C:\Users\Admin\AppData\Local\Temp\4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:720
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exe
          4⤵
          • Executes dropped EXE
          PID:2724

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.14.97.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.14.97.104.in-addr.arpa
    IN PTR
    Response
    25.14.97.104.in-addr.arpa
    IN PTR
    a104-97-14-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 77.91.68.56:19071
    l4476781.exe
    260 B
    5
  • 77.91.68.56:19071
    l4476781.exe
    260 B
    5
  • 77.91.68.56:19071
    l4476781.exe
    260 B
    5
  • 77.91.68.56:19071
    l4476781.exe
    260 B
    5
  • 77.91.68.56:19071
    l4476781.exe
    260 B
    5
  • 77.91.68.56:19071
    l4476781.exe
    208 B
    4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    25.14.97.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    25.14.97.104.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exe

    Filesize

    766KB

    MD5

    318a8eb67e8bcaee3b89dc081807d46b

    SHA1

    f78a8e23612e270f6b6d3307f41bb920a7fc192e

    SHA256

    ab1b9e632564fb3c2826cd638e3277d9bdf07dddc041266d361a6d4cc95015f6

    SHA512

    661fea1e8059173d551c6b538f46220e6d8f911f53977df24f55be72d5d25346b360e1acdfeb101f2e861acd4011ecd752e809279c7664fd082198aebb935c97

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exe

    Filesize

    582KB

    MD5

    2677f8194fefee3ab023a4d84fe7f80f

    SHA1

    40d025e65fbb8f2e14b8e26c961cd8c1fec08105

    SHA256

    f1cf4820bb2702cf7511d9a2d90c3fe80b263088ac476a3595a7eaa049212f88

    SHA512

    ad3daa1d49f8378c9ebae85817748f539fd19af5a95baa4033726edf12ec8ea7a103a673c736d68e5ae102143e33dd29d1405fef35a790bed9d95ee9bb07ff92

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exe

    Filesize

    295KB

    MD5

    61311f348b60fae73c1dec88ddb812b8

    SHA1

    e584bec72429d0f2aac1b5d351a03f6dedf9146d

    SHA256

    5e01d277979e902ec4bae4561368f84e9d5d1cc3cf340ca5ed832ae63e97052b

    SHA512

    82464d99004b7f9f8db0cca14c31dd18a40c1db4c2eba889bf9937fe6278f3d7798ec068a2f66b375518dc479edc68201003ea6bc944480b9c1cb85416b73eb0

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exe

    Filesize

    491KB

    MD5

    f958d6d636e5b3fb2432867cfe738c1d

    SHA1

    aa869b349e1cb254c21a4a0f73ae8ea0a1a0a4e6

    SHA256

    27ee8475b77ceb67b815e186029dd46601683d36f1fed7e2c9d8228eda8efcdd

    SHA512

    fae9b3392255b0d7be0d75cfcab8b97ff1278f79c811fc349483ba56592989d2a30788d2cb01873afc79adf28069fc684b797818f46090d1d8c3d3875ebc5bf9

  • memory/720-21-0x00000000006D0000-0x000000000070E000-memory.dmp

    Filesize

    248KB

  • memory/720-27-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

  • memory/720-29-0x00000000024A0000-0x00000000024A1000-memory.dmp

    Filesize

    4KB

  • memory/720-28-0x00000000006D0000-0x000000000070E000-memory.dmp

    Filesize

    248KB

  • memory/2724-35-0x0000000002000000-0x000000000208C000-memory.dmp

    Filesize

    560KB

  • memory/2724-42-0x0000000002000000-0x000000000208C000-memory.dmp

    Filesize

    560KB

  • memory/2724-44-0x0000000002270000-0x0000000002276000-memory.dmp

    Filesize

    24KB

  • memory/2724-45-0x0000000004BE0000-0x00000000051F8000-memory.dmp

    Filesize

    6.1MB

  • memory/2724-46-0x0000000005200000-0x000000000530A000-memory.dmp

    Filesize

    1.0MB

  • memory/2724-47-0x0000000005320000-0x0000000005332000-memory.dmp

    Filesize

    72KB

  • memory/2724-48-0x0000000005340000-0x000000000537C000-memory.dmp

    Filesize

    240KB

  • memory/2724-49-0x00000000053B0000-0x00000000053FC000-memory.dmp

    Filesize

    304KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.