Overview

overview

10

Static

static

3

0938a999b8...a3.exe

windows10-2004-x64

10

0ffce302b8...4a.exe

windows10-2004-x64

10

3b67ac2053...51.exe

windows7-x64

10

3b67ac2053...51.exe

windows10-2004-x64

10

4590646dc8...0a.exe

windows10-2004-x64

10

4869031eb8...36.exe

windows10-2004-x64

10

60fc18182e...b7.exe

windows7-x64

3

60fc18182e...b7.exe

windows10-2004-x64

10

67a45559c6...33.exe

windows10-2004-x64

10

74375fb2d7...83.exe

windows7-x64

3

74375fb2d7...83.exe

windows10-2004-x64

10

7c0286554a...02.exe

windows10-2004-x64

10

8bdbf47835...d8.exe

windows7-x64

3

8bdbf47835...d8.exe

windows10-2004-x64

10

9048c42aba...63.exe

windows7-x64

3

9048c42aba...63.exe

windows10-2004-x64

10

933ef5632c...f8.exe

windows10-2004-x64

10

aa2355d799...b1.exe

windows7-x64

3

aa2355d799...b1.exe

windows10-2004-x64

10

ac1a519838...39.exe

windows10-2004-x64

10

b8d6d40ceb...dc.exe

windows10-2004-x64

10

c1b16d8ddb...05.exe

windows10-2004-x64

10

cceb3dc1a5...0e.exe

windows10-2004-x64

10

edcd11e45e...06.exe

windows10-2004-x64

10

fa3e143197...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233.exe

  • Size

    1.5MB

  • MD5

    634f345e2fb17bc841ce205beeda286f

  • SHA1

    d9f43cf541bbd64156c36193206c96db42f47674

  • SHA256

    67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233

  • SHA512

    408f007c13bac39d95d0df340757bbca1e3d56b6c8f95b38f354fc9a8c8a354e4b56e6cd3aca19c70f70afdcdeaa46bb847c18bab61649629d17eaca094ad3c1

  • SSDEEP

    49152:wux1UO1LsM5vIzSyx8jYRogsQ+aV4Qmsad:T5LsMWzSQRogsDaVYd

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233.exe
    "C:\Users\Admin\AppData\Local\Temp\67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4982378.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4982378.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9829686.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9829686.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8580833.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8580833.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3989589.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3989589.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4952814.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4952814.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3504
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2987143.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2987143.exe
          4⤵
          • Executes dropped EXE
          PID:704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4982378.exe
    Filesize

    1.3MB

    MD5

    741838e93a1b6fd219f38b6db32f022c

    SHA1

    d1b635eea04c17d01052f9b01c18d58610cc9dfe

    SHA256

    eca28fc3d1f19484e3f78cb8786486c6a014d2dfecf4864693637d94e21b8588

    SHA512

    7b2fd35a80211565d1c674b96dee8dc4e2f3a69f8a87dcfd4371318216d27e8d7a070d525ec3eafcb94e0f3f5ae1aec0cd6a8d501734f38ccd332a53c2f153ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9829686.exe
    Filesize

    1.2MB

    MD5

    0f273cdd284121084e3180bc84aa43f0

    SHA1

    02e8c0c1e7665a1683ab16af641f9b4ccadb6fdd

    SHA256

    3186cd3feefcf00561e29cd0df7673e346ae9e9e60730b994db2fc0804d66f41

    SHA512

    b51ca041f93d9536b338a85dbca974adfd1be1caa05de09b09a754323db7cdfd8069d090d3cfc2eb90fbba83978691cade4704f4b1c7d341c22ab86cb84aad0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2987143.exe
    Filesize

    691KB

    MD5

    da0fa4c3da6c807d1f548b7f3076e7c2

    SHA1

    f084fb5abf6b5c4933a065ed3580621cf93d6619

    SHA256

    74754acdef3bb4ba00c2f12115af82c2a6bfaf9bfbe0a9978311c33e847e9420

    SHA512

    6f7f4744ca133e1f411eb3c227fbebee8173993af87cab509d2b7f1dbb09ba9e08bd37cfb5db0d03b3f5a990c7acf932c8eba8f185fa4666aefd07b86ab8e764

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8580833.exe
    Filesize

    620KB

    MD5

    3a984f073858b69a984baedc429c425d

    SHA1

    3ed46d75a97a76750cdf47a36f7c837ce60528a6

    SHA256

    48beec8b4d98bce278449701b46713f33dc5760f26a3ce02e93af556548613aa

    SHA512

    b0e9c1d613c0a5b6f3ea85c2746274c22179c31a9c7fabc3262a8cc0ba6d00267d9a58286ad11bb0c7c85270e3195396c3d318712ea185119a8f2782497cddf3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3989589.exe
    Filesize

    530KB

    MD5

    53d9a8baf935efb9bad19b8bf64b23c1

    SHA1

    616362d64bf8f76373885fe7a68427bc0949ba7d

    SHA256

    97bb3006d9b0d2f067bdc18eb2b0e0464f5b166c08c854e10d58732431b8763e

    SHA512

    e5ff592b5e691ec03505bf17ff71c9f210ae11491fdc18b34e04a251e44574c3b03a29edc6e5f8a41af6b891f7560bac2107a88ee1be4a5665f947a2b0647f0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4952814.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/704-49-0x0000000004B50000-0x0000000004C5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/704-43-0x0000000000450000-0x0000000000480000-memory.dmp

    Filesize

    192KB

    Download

  • memory/704-47-0x0000000002050000-0x0000000002056000-memory.dmp

    Filesize

    24KB

    Download

  • memory/704-48-0x0000000005170000-0x0000000005788000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/704-50-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/704-51-0x0000000004B00000-0x0000000004B3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/704-52-0x0000000004CC0000-0x0000000004D0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1992-28-0x0000000000430000-0x000000000043A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3504-37-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

    Filesize

    40KB

    Download