Overview

overview

10

Static

static

3

143e14de3a...c5.exe

windows10-2004-x64

10

22c5bd0a3e...19.exe

windows10-2004-x64

10

291dafd231...e9.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

499d652934...48.exe

windows7-x64

1

499d652934...48.exe

windows10-2004-x64

1

4b8eb94185...c3.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

4fbcb0a2f4...73.exe

windows10-2004-x64

10

53ecffef24...36.exe

windows10-2004-x64

10

59a57474eb...06.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

6aec183a58...31.exe

windows10-2004-x64

10

7182994846...ce.exe

windows7-x64

3

7182994846...ce.exe

windows10-2004-x64

10

7506757ba8...b0.exe

windows10-2004-x64

10

80ada740eb...52.exe

windows10-2004-x64

10

9e8418826f...52.exe

windows10-2004-x64

10

a898d72b49...84.exe

windows10-2004-x64

10

e6baad5a7e...5c.exe

windows10-2004-x64

10

ea3dd01036...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe

  • Size

    1.5MB

  • MD5

    739572566c4c164a5cfdea959226737f

  • SHA1

    bd12047781b88543053373c06e32c90d077b7b40

  • SHA256

    ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e

  • SHA512

    8909d3d21549c9d54f93294623045ff7da459b48cb460b110627d7a48e1a1f4ca63fa2d20921533343c847522594886420453c67f11de16b433827eb5fb18777

  • SSDEEP

    24576:yyhKgMcSAnDe7nosL8G+V5OxMxanlh4tRpSPf9vE1dE+VgKPAO6y1k:Zhj5SAnQosAT0Dnr4tRpMs1DgjO6G

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe
    "C:\Users\Admin\AppData\Local\Temp\ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4768
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4044
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:520
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4901763.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4901763.exe
          4⤵
          • Executes dropped EXE
          PID:3028
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
    1⤵
      PID:2020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe
      Filesize

      1.4MB

      MD5

      631ed72f62ec0529a2ae8c950db257d0

      SHA1

      52ae6745c638f0906cb9d8eaae3c0d46c27c35ce

      SHA256

      ebde318f043b9e4926b01981d12ae91079793f5f9e2b0bb829c546750c8fb1f7

      SHA512

      01705c553bb1eede9a6040cc36ce47f75f522fc09667ba3d420d435bf060a21d63eff1f79c46824594d5d779e90e67327c8e80475f74577eb64dc297b82f8079

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe
      Filesize

      1.2MB

      MD5

      e5776501a9148055f957f5386e3ecbef

      SHA1

      59011d27e29c91969953fa34da83e5187c51beca

      SHA256

      29f74e1800a68a08176cb3c5ccc169fca9cf58c9d9198f1090676e713c029607

      SHA512

      17ca6c0f12ce30c085f76f280f8950d1bbc195ea913b3c44cdcb6a8dcfd8794729b2fa3493f6f4fd450287f64dc2d15a37e01713cb8444acee9125c6423c47b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4901763.exe
      Filesize

      691KB

      MD5

      d8d4f1edc3eb447f88fc132375c41f6f

      SHA1

      f8eb3bd34be6372087738a7f9ee063755ed3589d

      SHA256

      28fe55b2b9f42577744381f456c9b29a56cd27b167fdc68acc4ac152f3f3f483

      SHA512

      c1308f7ebe94affd2f6f2203c65e1540d230a486a393c6f76c59fef81b7d1cce0981ab04970a724f0bd7ecbca9a2a53f5eeda32e6e3656bba0582caaa803615b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe
      Filesize

      619KB

      MD5

      ba78117b9e92e3a2402a5da59990515f

      SHA1

      d2e5579097b67e78ab394139ef310f79649f2fb9

      SHA256

      3a2a91d3842ab8ac000b7de5270f2e96dc7db51e4ef216d1232ebd0042d71708

      SHA512

      94447010a08d9fddf06e516a029fb12aa43289931339d4f4da494bb6eb94c08715a93af879825335590081584c7ad6ef6a672ebcf3f5bdc6fb4f3bd11a170107

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe
      Filesize

      530KB

      MD5

      dbb355595fadb1a82c4ebb2c34f9d78b

      SHA1

      249981224e8809f05b6ea4a9839c7247461ee02a

      SHA256

      be3e1a18c76614255f9c6293f53286f7579243d8bbc17aac74d51d824a63d976

      SHA512

      cfe4e1831fdbd6b3d34a6cd42a801dca44062b5e30d391fd5f89a7aedada97186b027dfd192c990b4a4b10e4cc6a3eb872387f1dd404feec55182cb09c5dbb5e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • memory/520-37-0x0000000000B00000-0x0000000000B0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3028-49-0x0000000009EE0000-0x0000000009FEA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3028-42-0x0000000000620000-0x0000000000650000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3028-47-0x0000000002290000-0x0000000002296000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3028-48-0x000000000A500000-0x000000000AB18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3028-50-0x000000000A020000-0x000000000A032000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3028-51-0x000000000A040000-0x000000000A07C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3028-52-0x0000000002210000-0x000000000225C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4044-28-0x0000000000420000-0x000000000042A000-memory.dmp

      Filesize

      40KB

      Download