Overview

overview

10

Static

static

3

30b55fc29e...75.exe

windows10-2004-x64

10

4f6b8faa68...86.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

699bfc597d...1d.exe

windows10-2004-x64

10

844b5b7693...ab.exe

windows10-2004-x64

10

86a6beb680...62.exe

windows10-2004-x64

10

9cf3d2bf3c...cb.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

d0ab8687e3...e2.exe

windows10-2004-x64

10

fb468a211d...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab.exe

  • Size

    1.5MB

  • MD5

    81ea008f898bb51262018817b54fa84a

  • SHA1

    df835f5a494bbd56fabb7130b8a9a82d7841f442

  • SHA256

    844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab

  • SHA512

    4b2f570869aa81eaf5fd7ba232fc080de0797d3c7f99e6f83a9e5da93fe6c5fa317078cd6f72d7e00e3009dc67981638147679f6479fe8183070fef6d0518265

  • SSDEEP

    24576:Tyr5T2KzBFhNW2AYXX5BMzudjFcDnuJnRP9pJ7lyel+C4hIa8XCGKysC8F:mxVvhYY/BFcnuJh9jZyxCKOSFyr8

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab.exe
    "C:\Users\Admin\AppData\Local\Temp\844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6205559.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6205559.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7919191.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7919191.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1172693.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1172693.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8325876.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8325876.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2624
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2765561.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2765561.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4824
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7155504.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7155504.exe
          4⤵
          • Executes dropped EXE
          PID:1168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6205559.exe
    Filesize

    1.3MB

    MD5

    088e87133ee678a8b31b0d7bbb951c02

    SHA1

    325f430bbc59fd3ff123f2f4d34dd214c1c889ec

    SHA256

    6d52a07c3772ac6446969c4d8274e818055f73f6bb281ef5a37ad52e0258c575

    SHA512

    4436b9d28876888b6ecfd0addb5271628b7f203385c11821040c36edb70a73f7c2d41bbc39a680fd1c30f6c83717132c398e94c97d42b886e9bf3c189f99c761

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7919191.exe
    Filesize

    1.2MB

    MD5

    8a33e531826f517c8c47a87bc964ecfa

    SHA1

    98307298753791fa2db99202295e2b4dcea03ce9

    SHA256

    7bf34c5225e719b7cd23083c0f928af79494fc3989398529722851ac2b7a9218

    SHA512

    9630d116fd597f05b91816ef281c190023e1cf90fa4726f75a4cb85011b44d73e2536f8e0e61d22acd3da27f83a27f647c6bc6993126ec6c55285938a3cc4392

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7155504.exe
    Filesize

    691KB

    MD5

    0e6ae50e619cd27c3be7dd5e0d0470d9

    SHA1

    966d3d9e8620f8c6ee53bab1a199c417816f31e8

    SHA256

    98ed2c4dfcadc878a5e304dda49c41d447568987665fc2a8ab6d52e8da7ebc61

    SHA512

    77b0adc9810df719df683d87a51b38f203b633a1ddf84f236f01a9799ebeb221adc52e2efa349e0cfdb0c404b74b9cce7b29d53f65b8d1dabe65a66cafea6657

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1172693.exe
    Filesize

    619KB

    MD5

    244fa5db56a8d8a66dd74760a4f86238

    SHA1

    3391d935288848c9a3cc345453cf1862cf6a7eca

    SHA256

    1bee181c1474a31c880e539118c43f9e9d0cba1fff75e94fe79336d02fd65e97

    SHA512

    227c2de03946d9ff074c2e7c929a68aa2a42382a0def297cffc6ee688c3b218809f9fd91a7207f4886b53c9bd633b6ef8e2819808448ae3d7ca946a3fd8a27db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8325876.exe
    Filesize

    530KB

    MD5

    abeb534b362dfb9b8421850442516a17

    SHA1

    2b8b0de64fb3ecf726206bb0fc7224788d98f78e

    SHA256

    1963a5127acbfa67b1133acb3279ac8765ec2b021be43036bfcfe5b6c8dc366d

    SHA512

    76788eb2296c5e644aaefcb28b83494bdd41c4535be1a49ddf2b1ac52d3b5bd6eb2cc745cb843adf662e59bada6211cff6fdc04f89c31519b2c93f7a910d3e7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2765561.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/1168-49-0x000000000A500000-0x000000000A60A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1168-43-0x0000000000520000-0x0000000000550000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1168-47-0x0000000004A60000-0x0000000004A66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1168-48-0x0000000009EA0000-0x000000000A4B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1168-50-0x000000000A640000-0x000000000A652000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1168-51-0x000000000A660000-0x000000000A69C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1168-52-0x00000000042C0000-0x000000000430C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2624-28-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4824-37-0x0000000000230000-0x000000000023A000-memory.dmp

    Filesize

    40KB

    Download