Overview

overview

10

Static

static

3

0237b61e61...e4.exe

windows7-x64

3

0237b61e61...e4.exe

windows10-2004-x64

10

0cbf9c5b59...f9.exe

windows10-2004-x64

10

0edb945c8d...dd.exe

windows10-2004-x64

10

13ca0bbb32...3f.exe

windows10-2004-x64

10

1465a638f9...f2.exe

windows10-2004-x64

10

1b0729839d...dd.exe

windows10-2004-x64

10

27bf431b08...9f.exe

windows10-2004-x64

10

34b8fdeeaf...27.exe

windows10-2004-x64

10

488c7cb3b3...18.exe

windows10-2004-x64

10

4bc64c0375...75.exe

windows10-2004-x64

10

4f85c3e4ec...fe.exe

windows10-2004-x64

10

55b18033bb...53.exe

windows7-x64

3

55b18033bb...53.exe

windows10-2004-x64

10

60e7e1ac00...07.exe

windows10-2004-x64

10

979a97cb16...99.exe

windows10-2004-x64

10

b3eb736a5d...9f.exe

windows10-2004-x64

10

d57352b171...d0.exe

windows10-2004-x64

10

d62f03a558...b6.exe

windows10-2004-x64

10

e72a6e51db...6d.exe

windows10-2004-x64

10

f5c9c18cca...6b.exe

windows10-2004-x64

10

fdb9b25099...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe

  • Size

    389KB

  • MD5

    047a5e67b8325b5f7f14d6300d2525fa

  • SHA1

    e765cf5f8a5e1e80bad8f737cd658ffaea69ed78

  • SHA256

    f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b

  • SHA512

    da5583b2adff91294d280d78d4b3b598aab8b169e79bbc638f1042fcf44ab00b357c20b5b9dc7319482dba7632bd238653da8c0458af3b25a95a684ae46f57cd

  • SSDEEP

    6144:KAy+bnr+Np0yN90QEQmynqq5AvfcQr4UliD4EYjxgt2jfsmdrHq/LDxMMJOkeb:UMrhy90WP64Ul84jSt2jfHrKjDxMMbM

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe
    "C:\Users\Admin\AppData\Local\Temp\f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exe
        3⤵
        • Executes dropped EXE
        PID:3820
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exe
    Filesize

    206KB

    MD5

    82508e684b0244b131384ad84bd736ed

    SHA1

    3c80d10f1bad612d93b99bfc4ab1407dba6c101d

    SHA256

    2f9713625553da98a31d2c7cc5fa0ba1aafe7e56045cc660ab24e00c0b7eca4d

    SHA512

    10b6232edc6c64acc7aab72a2c31bb8c8654bcc7c603b43321b9898a05d4abee803890b13951aadfc913e955781272485a7f74452c979fc576f4d6f20a179a8a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exe
    Filesize

    14KB

    MD5

    acf71ede3fa4498bb7397d170fa7f878

    SHA1

    dd69c1172a9bf2f7d37b10a9fad59e1e1359c3ca

    SHA256

    a093e4e6d1e4d36ac0a4d04ed691dd962d5a6cc576395d79680eb7dc46650d09

    SHA512

    d7e45ef34b57273bf22af623e860fad167329dcb0d94feccda24d0d019b1bb7a8596162afefc6add472cf0fada895fcbb0febeb60e030006725ba9299ddc2355

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exe
    Filesize

    173KB

    MD5

    bfb4ba8d200b626ae3d3a6d9ca32061b

    SHA1

    d95ffa9926a751678bf632a7ccc558e1e8bfd0c5

    SHA256

    9358dd428789b3d65d74482772d34eef690cad71a78453ded32673a5bebccf3f

    SHA512

    c63c0198c363675e50866d3ac051c051ce53b758f364e66a15749422ce6efb1e689e68cb7c5936f64b4e5550623a16ffedc8ee84e553c78571f9db7a712fe3fe

    Download Submit
  • memory/1516-15-0x00007FFF276B3000-0x00007FFF276B5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1516-14-0x0000000000C20000-0x0000000000C2A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3820-20-0x0000000000730000-0x0000000000760000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3820-21-0x0000000002A10000-0x0000000002A16000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3820-22-0x000000000ABC0000-0x000000000B1D8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3820-24-0x000000000A620000-0x000000000A632000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3820-25-0x000000000A680000-0x000000000A6BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3820-23-0x000000000A6F0000-0x000000000A7FA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3820-26-0x0000000002A70000-0x0000000002ABC000-memory.dmp
    Filesize

    304KB

    Download