Overview

overview

10

Static

static

3

00b85ef681...3c.exe

windows7-x64

3

00b85ef681...3c.exe

windows10-2004-x64

10

02fa9e870a...3b.exe

windows10-2004-x64

10

21feb39957...32.exe

windows10-2004-x64

10

22f65486ce...8c.exe

windows10-2004-x64

10

230ec3f2c3...5e.exe

windows10-2004-x64

10

2ea5e26c15...e7.exe

windows10-2004-x64

10

3352e66593...91.exe

windows10-2004-x64

9

3a8a7d42c4...54.exe

windows10-2004-x64

10

55872fee0d...a2.exe

windows7-x64

3

55872fee0d...a2.exe

windows10-2004-x64

10

5c4e8c59ce...96.exe

windows10-2004-x64

10

9eded57acf...94.exe

windows10-2004-x64

10

ab1944db7d...fc.exe

windows10-2004-x64

10

ac6f6a7901...6b.exe

windows10-2004-x64

10

afa70bcf38...3a.exe

windows10-2004-x64

10

c4490bf883...30.exe

windows10-2004-x64

10

c648954590...a2.exe

windows10-2004-x64

10

d5755dadc9...b2.exe

windows10-2004-x64

10

f066a86310...dd.exe

windows7-x64

10

f066a86310...dd.exe

windows10-2004-x64

10

fa130ffbae...7e.exe

windows10-2004-x64

10

ffca01eab5...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a.exe

  • Size

    1.6MB

  • MD5

    8deec4805523efe236b6022799c882d1

  • SHA1

    67b0a6dd0d7592016e3b22fffb623ad33a42364c

  • SHA256

    afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a

  • SHA512

    64b1b6dc25569ddcffa8249fce0cb9534bca605ab7061a288955df776380473a26b6ebd57faf5f28cfd2a6810bd216da07436078a2201adf23dc0c77ab151b24

  • SSDEEP

    24576:ZyOAv8szkh1NLNczLu4/8b48sUsYFCR11JPNTRFd4gvgjtjHIi4xWupgmt1IwQj:M0IkZNct/8MB+FmvlNTLd4poPWutRQ

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a.exe
    "C:\Users\Admin\AppData\Local\Temp\afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8606143.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8606143.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8447807.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8447807.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8429534.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8429534.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2553496.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2553496.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3368
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5712082.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5712082.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2620
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7432514.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7432514.exe
          4⤵
          • Executes dropped EXE
          PID:1808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8606143.exe
    Filesize

    1.4MB

    MD5

    85a84ec8caf713bbf6d1194c73849518

    SHA1

    42365d5629741d2845f27fe694f1141bf3dbec2c

    SHA256

    c247556907e834a732d4138ae25fcb7ed4cc17aaedc05f7cc785b7cdcf409ff7

    SHA512

    03e9e9a337f52facb6efa91fb42e093555f856b923a0e786ac2352183f3da185f30e8980cbe2a5b90c560c06a6ad636234466e4ec325c74f6d82010059dc0ce9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8447807.exe
    Filesize

    1.3MB

    MD5

    ecbed37d9fde9b7919458f251e2a2f95

    SHA1

    9d3843ea35e446a3604ef14e4f9d55458d90f3ef

    SHA256

    63ac4cab84988253ecda3af804a8246350662fc316cd03de8874d56fea375722

    SHA512

    b42a65195d887ca2a268c5556de0743596d7e2b460bea32ed585e81628db4188132617a7160f213f33b2b722dd2a75c9ad0cc42bb4fc59fbab07fd7f948f6554

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7432514.exe
    Filesize

    729KB

    MD5

    d85d317a46aed09b8146e252b7c8764d

    SHA1

    1ce5e60b21c26d2bbcdedbe97ba159b7358e7c79

    SHA256

    1db7f105be4b03d970a89606e06375cc8c1377dc21eeffccb8625ae70ee012b8

    SHA512

    c50af6060b55d216d31e9e101db26698e70c785035e864a9ecf36426ea639db15bfaa3f08fdf5c8843520221391f7cd5c32d2aa4303c276e1d2c7867ce7ed4e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8429534.exe
    Filesize

    638KB

    MD5

    ff8e72adb03ec3be07668cf2a4fc9660

    SHA1

    8cfb7b2972d5b9d011aab516bb8d33de415a65f4

    SHA256

    f1306a5f8023a569894248c4ebca9e5ee12412cfe73ca27ada08d4692a02f10e

    SHA512

    7a5f81a9a7d3692d34a91dd649f4d55e77b8453319b7e73ca8ece4b76f549ff53dda9caa1b7611a82ac73bdea60233f1f7507d1fcccb7bea268c60554fba8f7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2553496.exe
    Filesize

    568KB

    MD5

    106b018729981308bb250d0e8f846078

    SHA1

    9f6fddc22ce689b3a0b29883fac746e837e7509c

    SHA256

    98d9459cbade980062439f8a76d35c2aa512b83779900ed12f4960b2d75f6ac6

    SHA512

    98d0dd03399d3fe757c1e77d09b836edfbbd15afe79a77179bc2cd685dfadaf9e96280d392c39cda1e8d2d450f221357483bc9314312373510e14d2fa1093f8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5712082.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/1808-49-0x00000000050E0000-0x00000000051EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1808-42-0x0000000000790000-0x00000000007C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1808-47-0x0000000002430000-0x0000000002436000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1808-48-0x0000000004A90000-0x00000000050A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1808-50-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1808-51-0x0000000005240000-0x000000000527C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1808-52-0x00000000052E0000-0x000000000532C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2620-37-0x00000000003E0000-0x00000000003EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3368-28-0x0000000000540000-0x000000000054A000-memory.dmp

    Filesize

    40KB

    Download