Overview

overview

10

Static

static

3

00b85ef681...3c.exe

windows7-x64

3

00b85ef681...3c.exe

windows10-2004-x64

10

02fa9e870a...3b.exe

windows10-2004-x64

10

21feb39957...32.exe

windows10-2004-x64

10

22f65486ce...8c.exe

windows10-2004-x64

10

230ec3f2c3...5e.exe

windows10-2004-x64

10

2ea5e26c15...e7.exe

windows10-2004-x64

10

3352e66593...91.exe

windows10-2004-x64

9

3a8a7d42c4...54.exe

windows10-2004-x64

10

55872fee0d...a2.exe

windows7-x64

3

55872fee0d...a2.exe

windows10-2004-x64

10

5c4e8c59ce...96.exe

windows10-2004-x64

10

9eded57acf...94.exe

windows10-2004-x64

10

ab1944db7d...fc.exe

windows10-2004-x64

10

ac6f6a7901...6b.exe

windows10-2004-x64

10

afa70bcf38...3a.exe

windows10-2004-x64

10

c4490bf883...30.exe

windows10-2004-x64

10

c648954590...a2.exe

windows10-2004-x64

10

d5755dadc9...b2.exe

windows10-2004-x64

10

f066a86310...dd.exe

windows7-x64

10

f066a86310...dd.exe

windows10-2004-x64

10

fa130ffbae...7e.exe

windows10-2004-x64

10

ffca01eab5...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c.exe

  • Size

    1.5MB

  • MD5

    8fffe24a095ff86baacd02f20b2ae01e

  • SHA1

    66dca64c0e369bb53bf25a13d4f60185a1774dd5

  • SHA256

    22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c

  • SHA512

    2251e76ca1c3072ff78f339548b5d7afd3bf13e15cfb516584a536e19595e154a343dbc61f19a4765fdfff2a86c962944b195d7d1328be4c5405810d5a545226

  • SSDEEP

    49152:KAhzL8MtOkOiCRahFMaNXg/2f1jlch1Ew6M6:VltNOrahFBXzfdlch2w6

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c.exe
    "C:\Users\Admin\AppData\Local\Temp\22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0958649.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0958649.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9044848.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9044848.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9878724.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9878724.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1520
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6997162.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6997162.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4080
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4641227.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4641227.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5850381.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5850381.exe
          4⤵
          • Executes dropped EXE
          PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0958649.exe
    Filesize

    1.3MB

    MD5

    d5234b1b06f679182e584fb90ab07f5f

    SHA1

    172ddddd3663d16fe7f84a516be9c2c007fe3164

    SHA256

    51a2a12e30660532d1900199113b6393952fdfff40ede8c47138aa19b28cb7d8

    SHA512

    8d8261956de8c7747e2343d0b82069297795e0da0f63d5f2798cce1ff1c43a28c5af5b12dfa9d586c2d73d599a0d7fbf3ad2e2ad2877d58055bd2208ad7dffab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9044848.exe
    Filesize

    1.2MB

    MD5

    f4493a26b4b10f53bba65a537a1ec087

    SHA1

    eb2c5b0cedab32ac585775afcc8bffdce667659c

    SHA256

    f7f1fd6d848ee41b65262c9a2f501eb7c40ec1fe2246cf21c802f96e10c33dc1

    SHA512

    2c08c13f1d8b725c6ae3a3592df769697ef0b502af808556440fef03093f87f3e0d5e5dc3f822e4ee5ebd76ce51aac0988e1f8c03091711434bdd69c79e3349f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5850381.exe
    Filesize

    691KB

    MD5

    698d7de8bf63a96347de0a58d4558825

    SHA1

    3eb05fd2f7d39a84c2f5fc4f5b8d46f95e53d675

    SHA256

    38ef28d2ab78e4f8388653d130c6a2a3c6f66222699a30b5bec96e2e2f77aa10

    SHA512

    a8afe9c4aff2b7e618a0b8c8ee1d61d6f412fe83d0a0c0d549324343f81c80876b13a9d84b6cfe9516e3d2bac66881e49411bcdd58c96b810b24c212a611fe2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9878724.exe
    Filesize

    620KB

    MD5

    0c5b92ca95c721f4da86a5a82f2e29c6

    SHA1

    1d19df0b01159fce0c4b9b649193faad02db809a

    SHA256

    e649d2fd56f4e1d06b2eab19e0b74693b4256117f17ee0dd2a73482d8b7f4056

    SHA512

    76eace14900a78f7ba3b2ae2d91a0d6bf6b6aaf8cd33ef1f7460a527d5a3c79678d133e7a3bd225a9b0bf30435f88bab9a5af4aeb10c9c2f8e2d1a013036ae1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6997162.exe
    Filesize

    530KB

    MD5

    ee00df098d40cee95ceb67213b11b5b8

    SHA1

    d0025151437dc27fc26955d502d6740d19ec97ba

    SHA256

    7c9fbc3f7b5248fd4a18d30cbf7504f2521665b31c4ff3fb0b41105d15fe0ac6

    SHA512

    a19f3add5cc090dccc5699fb97070cb7cbae3c6d474159b82177a665a54bbafb480a24983e79d5aa799793e88eeaada4ccdc5147fb630e70c216fdd74577fa10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4641227.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/2256-37-0x0000000000260000-0x000000000026A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2588-49-0x0000000009EE0000-0x0000000009FEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2588-42-0x0000000000440000-0x0000000000470000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2588-47-0x00000000021E0000-0x00000000021E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2588-48-0x000000000A4A0000-0x000000000AAB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2588-50-0x000000000A020000-0x000000000A032000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2588-51-0x000000000A040000-0x000000000A07C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2588-52-0x00000000043C0000-0x000000000440C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4080-28-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download