Overview

overview

10

Static

static

3

036028e386...a7.exe

windows10-2004-x64

10

0f5fae4716...8d.exe

windows7-x64

3

0f5fae4716...8d.exe

windows10-2004-x64

10

1998a377c7...11.exe

windows7-x64

3

1998a377c7...11.exe

windows10-2004-x64

10

1b624e343d...55.exe

windows10-2004-x64

10

2b559f1c51...29.exe

windows10-2004-x64

10

2d1e7e578c...8f.exe

windows7-x64

3

2d1e7e578c...8f.exe

windows10-2004-x64

10

52d5102aa9...ea.exe

windows7-x64

3

52d5102aa9...ea.exe

windows10-2004-x64

10

5365362210...13.exe

windows10-2004-x64

10

5460a1d2c8...37.exe

windows7-x64

10

5460a1d2c8...37.exe

windows10-2004-x64

10

69b4a94473...6c.exe

windows10-2004-x64

10

7b7ce936fd...c9.exe

windows10-2004-x64

10

82e326156a...5b.exe

windows10-2004-x64

10

82e97b51ca...5f.exe

windows10-2004-x64

10

9b8496e95e...b6.exe

windows10-2004-x64

10

b21367ffaa...ef.exe

windows10-2004-x64

10

bd06bfc269...a3.exe

windows10-2004-x64

10

d191282ff4...7a.exe

windows10-2004-x64

10

d77888ac75...7b.exe

windows10-2004-x64

10

ef11bf7b35...d4.exe

windows10-2004-x64

10

f0d33c78b4...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b.exe

  • Size

    924KB

  • MD5

    39ebcf56ab4b2fb98a2e2590c5a5a588

  • SHA1

    90ef0140fb2cd50c8f3f507ec061532252882acb

  • SHA256

    d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b

  • SHA512

    c596ee775a66fffe2df60c2cc909f89e71b2c6d95fba57ca78ed5a13c962b2520b6e8460ddc9f3ca0e6cb8b9e5cde134ed157f0a9ec39cbfe13c2d7bb62149ff

  • SSDEEP

    24576:OylPVB7/z8r9NKS/rdlEGOapBK/Aoa2ZLZP:dlHopNKSjkapoFa4t

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b.exe
    "C:\Users\Admin\AppData\Local\Temp\d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4199648.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4199648.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7832952.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7832952.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7566094.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7566094.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2064
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9832720.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9832720.exe
          4⤵
          • Executes dropped EXE
          PID:4460
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4199648.exe
      Filesize

      768KB

      MD5

      af6e9fb430a5cc56680227a7f94310aa

      SHA1

      a6c0e4ed159807678144a63f4ab9ea7d1bf22530

      SHA256

      b91e172be8a42cc58aa76b4b06e6f5f8ee11514cd52c61c61f6f200b982272d1

      SHA512

      e0f92b4418e5fb47fd4c52be2c2fd5fb2ecdceb4c06f43701e927aa7bfb4c1491be9a9b990e766017cb4575b00f9c6e3316e565b1ed3591266de0ea27821da0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7832952.exe
      Filesize

      584KB

      MD5

      70c2d38d4547cfdda21e5a0ecb834188

      SHA1

      97e074f5aa166a3bf5e7a91311c5b5d091c430c5

      SHA256

      d33bc366cf55b54588d2d5d038cd4124b36e834e9b61a65c7b1d4fca42d29287

      SHA512

      ccc1cab1b58925d29026dd78f06c2c2df8177fb5fc8b5d465d5b2a0601bbb546446722ecc69c04b29121dd8b40127ca51c919350e9b4953042a24d7bfc56b760

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7566094.exe
      Filesize

      295KB

      MD5

      c43930fbf73244831a96682aba907e8c

      SHA1

      44db4ec9c11a04d56d2bfab7f993abf37a23e6fe

      SHA256

      9beeaf6651baa5e2597a933df6eee18cf168ba41865e18001185613e0949bba3

      SHA512

      6cb91d5c9317f693a04eec12cddef55760619ed65944df60986b009eb1c782833d121788d4352519e6391bed2a06f0f602b1f4a753623c7ac92dd0440dd307af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9832720.exe
      Filesize

      492KB

      MD5

      1bc0f3239045d44d169496f3b247f881

      SHA1

      1884266973607585ec1b134f6009c17e54f3b18f

      SHA256

      8d09dd356bd29f5d38121849999e828d955e116d03542444d0b4f40073596e7f

      SHA512

      dc3a2358d4d2613bb82c60362c409590a8699d53625efd9fd8b853f5e19afed07c798cf66b59d38bd526a80559bc4cc486b23b0f40f3fb120bd61a67946f87a9

      Download Submit

    • memory/2064-21-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2064-23-0x0000000000570000-0x00000000005AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2064-28-0x0000000000570000-0x00000000005AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2064-29-0x00000000025A0000-0x00000000025A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4460-35-0x0000000001F70000-0x0000000001FFC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/4460-42-0x0000000001F70000-0x0000000001FFC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/4460-44-0x0000000004390000-0x0000000004396000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4460-45-0x0000000007330000-0x0000000007948000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4460-46-0x0000000006D10000-0x0000000006E1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4460-47-0x0000000006A90000-0x0000000006AA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-48-0x0000000006AB0000-0x0000000006AEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4460-49-0x0000000006B40000-0x0000000006B8C000-memory.dmp

      Filesize

      304KB

      Download