Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:56

General

  • Target

    c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd.exe

  • Size

    1.5MB

  • MD5

    02d3cc52bf2daf9027e9f5f03f9d5c60

  • SHA1

    64a54dee7b09794656ca9507fa03519451ebe600

  • SHA256

    c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd

  • SHA512

    a13e38a688863d6cf350a3ffb4c4df79b625945d92d7ed0964f1dfaf90b043e39b502695c7fe7e326856406eb536a8aca1537c0375cc5b30dae4f06dbb4b302e

  • SSDEEP

    24576:Sy43P8nmHHvHZb/3jXiV4MpypFR7uDMZiq3lDNGKVIAF/smmFJycDaV8ENEMKtAR:5vmHHPZb2KMpypFZflUKKAFmF8cN4Eh

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd.exe
    "C:\Users\Admin\AppData\Local\Temp\c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0089642.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0089642.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0976851.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0976851.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0122630.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0122630.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4576
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3780934.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3780934.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:808
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9313119.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9313119.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3124
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0933471.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0933471.exe
          4⤵
          • Executes dropped EXE
          PID:4524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0089642.exe

    Filesize

    1.3MB

    MD5

    424a3a9e388e8d4a143b78c18ca1b2c6

    SHA1

    7ab6f901d0d5d4fa7975097a215f37f2db0ceef6

    SHA256

    ef55c277b76336f83cf5f0b3e52fba5619ed8d90bc5166f3f9faefa34ac9f0ee

    SHA512

    64582f5fd930e7e42eb98dfffe330270446c6b1ca32b734907b1eddcbce93d04cee79c40f91a8f4704a4824dc5b7087875f961f652f4683a73e048eaaeea9786

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0976851.exe

    Filesize

    1.2MB

    MD5

    c2009317a168ce808f1b4abba0b792b1

    SHA1

    c16efb6d091d2a71ee9ba39d21d7617ddb324c28

    SHA256

    6429cbb349f93b5aef577412bc38be6d99a71362715c37dec7f671bfd2d43f8f

    SHA512

    40e5c0baa82bd300077d009af450ac76c1c602fe688cd65293565e3fc013151380ee334bd25e1a4505207a4547a1c2e9c95a5e18c71ea4de5ce5cf394ad49d58

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0933471.exe

    Filesize

    692KB

    MD5

    214c73137cc743a9c012c1c8cf932769

    SHA1

    d0b1f04df8dcb6804a1fed0898ddf2b5b159605c

    SHA256

    5677c49a17a767d7de2e2d88fc5a4fc8bfd93744afd46e6e321df03d5af6b6de

    SHA512

    42ab7caca363775508335667be71f41b8207ffcd96310b1f41e70e0ee4616c8279913e3e44ce5499e718b996df86cb506fb181cc9a248f34760d6a038726958a

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0122630.exe

    Filesize

    620KB

    MD5

    391fd1a83e790f6dd27276d9cf6d62f9

    SHA1

    ef4797b43151a8843647edbf32ee73f615d07dfe

    SHA256

    82f9a9ce84ade18863aa0e160ca1dd14cf2281d7602b34d0bf2e1c398f5d832a

    SHA512

    87e214f7090817f36b1db1faaf4e823be086f22fa7149619774e1995df7d2d0b61f9e9fafda658979016a66dec65a5d2ca68c1ee97493bc51c445a3cbd3d2a57

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3780934.exe

    Filesize

    530KB

    MD5

    dc806f3ebddbe8981ea2d83a522f13f5

    SHA1

    1c1b91044afdca07c99bece215fa8775c2d53084

    SHA256

    e3fe09c60edbad4bfcc881428c8425e91b9287e2b3116817a6dcc1f39b8ccc50

    SHA512

    20d4a7963ce40638369fa0a8a5633a4d1125947aa874c9ec6f57f0ceca307534ba7bec3ee95b96a7e22c65cb234f13c68536afd783995d0236f7139f1b0884ba

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9313119.exe

    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

  • memory/808-28-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

  • memory/3124-37-0x0000000000D50000-0x0000000000D5A000-memory.dmp

    Filesize

    40KB

  • memory/4524-42-0x0000000000460000-0x0000000000490000-memory.dmp

    Filesize

    192KB

  • memory/4524-47-0x0000000004A60000-0x0000000004A66000-memory.dmp

    Filesize

    24KB

  • memory/4524-48-0x0000000005110000-0x0000000005728000-memory.dmp

    Filesize

    6.1MB

  • memory/4524-49-0x0000000004AF0000-0x0000000004BFA000-memory.dmp

    Filesize

    1.0MB

  • memory/4524-50-0x0000000004C00000-0x0000000004C12000-memory.dmp

    Filesize

    72KB

  • memory/4524-51-0x0000000004C20000-0x0000000004C5C000-memory.dmp

    Filesize

    240KB

  • memory/4524-52-0x0000000004CC0000-0x0000000004D0C000-memory.dmp

    Filesize

    304KB