Overview

overview

10

Static

static

3

0b77ecaa1b...bd.exe

windows10-2004-x64

10

15a93b61b0...e6.exe

windows10-2004-x64

10

209703dd4d...93.exe

windows7-x64

3

209703dd4d...93.exe

windows10-2004-x64

10

371f83e057...f2.exe

windows10-2004-x64

10

4f86d48b3d...df.exe

windows10-2004-x64

10

613e8de3b5...a6.exe

windows7-x64

3

613e8de3b5...a6.exe

windows10-2004-x64

10

6bd55afbde...65.exe

windows10-2004-x64

10

74991b8b05...38.exe

windows10-2004-x64

10

75ccbf328f...af.exe

windows10-2004-x64

10

798aee8abb...5b.exe

windows10-2004-x64

10

7b57226b37...3e.exe

windows10-2004-x64

10

7fe3c52960...9b.exe

windows10-2004-x64

10

8e6c08ec1c...56.exe

windows10-2004-x64

10

9cb8e2b154...93.exe

windows10-2004-x64

10

a5bd0160df...49.exe

windows10-2004-x64

10

a62a548ffb...a0.exe

windows10-2004-x64

10

bfe644d3bd...29.exe

windows10-2004-x64

10

c606fbb70c...7c.exe

windows10-2004-x64

10

c84d7a88c3...a4.exe

windows10-2004-x64

10

d637403a7a...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe

  • Size

    1.2MB

  • MD5

    7dc01fe162857c837ec42c043f06a250

  • SHA1

    c3f7888a5be49c458cdf5edca546ff6fd0b4da6b

  • SHA256

    6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65

  • SHA512

    9f828f990954d98bd65bf640d3aec245addc052add46fb8896223ec04953dce8a6fe2817bae53aa7fcee86d68248c4d6b0a5112b1a685082c5557c762cab48af

  • SSDEEP

    24576:MyVY5S9UGMFXStmUpJeZyTxB7Sc2mGafGCLun8tczXSZ2Lk:7VS3GMFXYmUpME+DzaS8tcjSy

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe
    "C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4948
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5116
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5656
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe
            5⤵
            • Executes dropped EXE
            PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe
    Filesize

    1.0MB

    MD5

    5b0a1d75eb5b073c0f5546a26c49d51e

    SHA1

    89d4817ca552bfe2ecdef9e823c6699c7b880afe

    SHA256

    09a0554fa3d047c4f2f1494b3e012c638c2bdb4cbe185aa65f27d32cba3c1ea5

    SHA512

    824fe30d813a8df2398454ac42ad8dd85c1deb60a23b02891e7e554d6a92691a8111b78314ed5578455a56ac4eb0948a58e423b2a5f334fd28f76f49aeb8dda8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe
    Filesize

    906KB

    MD5

    a8dc7323f27cb7e7ba583196ffab46c0

    SHA1

    1972d86b0a273a82b5c275ebea388cb9d17488b9

    SHA256

    fe144693974e5771dd392bfdc8fc666417cb8918a6547679b462223b317dc97e

    SHA512

    37d37d86e056faa6fc31c3907c8304f794eede48811944707a92f825d9430831a67d5f5f0cadc69b96d9d785cb2867a6999187264ac0eafa13e98516335bc12e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe
    Filesize

    722KB

    MD5

    c7da44387b6e483fc8c7283c754feaeb

    SHA1

    62338659663da5f57fb9bea10a8a05bce0b662c7

    SHA256

    30437c11e0762d86ebb451cd52b19b722db914d0317986dc378b8c9cf4207181

    SHA512

    3b6fee44cac10e5b758e1b69374c501b3d405525ab09798ea60e82a948e134f40a23a762bbe1c52c7abf29a3cbcb8bab987ec3fe8dcead6ae043d36ccc46d7ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe
    Filesize

    492KB

    MD5

    dcbd259b2016baa7fccc09cdfe371f3c

    SHA1

    3cc03134e9e76764bcfb2a7a3dcbabd11df1cdf7

    SHA256

    a54abe0f1d95e89689d38c546be49b4ee22308732f5d2afde6e1358b39872f36

    SHA512

    a03ade1fadb841b74696b36821e6397d74c0312f1eb9284afc136b5d9900c42a7e22c81fcd8f8a86e389c3308071210ce0678b3c4a1adf02267d11ad2d62b185

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe
    Filesize

    325KB

    MD5

    32183c923a2c040ff6fa9dce751c8700

    SHA1

    b24b19b55080485ee969dc7af137f953b2a4b65a

    SHA256

    51bb7d261804bbd97cd5b8accdb599e73f5b0ee1f843139f8cf6efbf309729e9

    SHA512

    96c535f6b5e198df2355ac1569b21d960a82e95357ed29dca9c7ba5165fb8ca7cf6fc36ffe1772a6a1177c95b4d9ba70aa80bb1ed125339b3a73cd7105d040eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe
    Filesize

    294KB

    MD5

    0f0f50dfecaf72d4e3ccedb1f94725e0

    SHA1

    872a0dc944df9796fd5971ef38343657dabc0847

    SHA256

    4552de282a6b63d84161f50de829ef817a211330a3e4b1f011eba44c0b36cad5

    SHA512

    2a631692d38a09177d03c518711152a40d7ab2e92ebc81e9f98d228832f7e48f5c3f04a42d14393573bc0a30e838b2943794ddbd046089a1df75d2a86aeb53c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe
    Filesize

    11KB

    MD5

    225f76a6934bb90e542b61588977a84f

    SHA1

    bbb5cc365df0deea93ff6ff2cbafa3f2c7dc6eb9

    SHA256

    c98f0d1c4a7d88abce48355f9b9b10c40247af2b8bf5df2cd5754ebe19dfe2c3

    SHA512

    ca1057fac93b52b2c67be53defa90c60fde43c6efa09743820aac16a53d5aa0c13dbf8fabf20f994b8b60a1b258802e50ce24ba2c812b3156122d48f1d1dd081

    Download Submit

  • memory/2980-63-0x0000000004B20000-0x0000000005138000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2980-53-0x0000000000620000-0x00000000006AC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2980-60-0x0000000000620000-0x00000000006AC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2980-62-0x00000000043C0000-0x00000000043C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2980-64-0x00000000051D0000-0x00000000052DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2980-65-0x0000000005300000-0x0000000005312000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2980-66-0x0000000005320000-0x000000000535C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2980-67-0x0000000005390000-0x00000000053DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5116-41-0x0000000000580000-0x00000000005BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-42-0x0000000002740000-0x0000000002741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5116-35-0x0000000000580000-0x00000000005BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5656-48-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

    Filesize

    40KB

    Download