Overview

overview

10

Static

static

3

05a0748d48...c0.exe

windows7-x64

3

05a0748d48...c0.exe

windows10-2004-x64

10

16b83c8926...86.exe

windows10-2004-x64

10

1e756c3dd2...17.exe

windows10-2004-x64

10

2d35abe32a...2d.exe

windows10-2004-x64

10

3754d1115a...68.exe

windows10-2004-x64

10

489287cb76...28.exe

windows10-2004-x64

10

4a64601cda...bb.exe

windows10-2004-x64

10

4f57ecadcb...56.exe

windows10-2004-x64

10

678b5c88fa...33.exe

windows10-2004-x64

10

6ade339142...e8.exe

windows7-x64

3

6ade339142...e8.exe

windows10-2004-x64

10

6e1ca7d8d7...d7.exe

windows10-2004-x64

10

7a398dd87e...55.exe

windows10-2004-x64

10

806347c33e...f1.exe

windows10-2004-x64

10

853890cb43...68.exe

windows10-2004-x64

10

85f2f1ff9e...04.exe

windows10-2004-x64

10

8ea62cf585...13.exe

windows7-x64

3

8ea62cf585...13.exe

windows10-2004-x64

10

af1379c2cb...5d.exe

windows10-2004-x64

10

b22005984d...40.exe

windows10-2004-x64

10

b567e2a99f...c5.exe

windows10-2004-x64

10

f8896ca2a9...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5.exe

  • Size

    1.7MB

  • MD5

    48726ab44afa6b367798416a0a9ad7fd

  • SHA1

    ce93701961e083eb42672752ee274a00a3e1a658

  • SHA256

    b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5

  • SHA512

    03e8402e4f774dab2157c12264d157bac559a6f259d146b8bfd0592c880308607995e2bf7b53c5e61d1f9ad556601edc9d2b9b1bc9d833a101329c89cd9b8c42

  • SSDEEP

    24576:/yT8NOIybemiPHi+dlVXGZ1ph/GauSeqOBNUCLrQ17AGP9+kvHDvkjEvt4kxhlhs:KT8Tybe/DVXGPrxxg0Gra91vLD1x5

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5.exe
    "C:\Users\Admin\AppData\Local\Temp\b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1372
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1308
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4553836.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4553836.exe
          4⤵
          • Executes dropped EXE
          PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe
    Filesize

    1.5MB

    MD5

    32f4cf8131e9fc74c4d7168856fc25bf

    SHA1

    91ad69566d15d609753bf460e473f1cb450768e5

    SHA256

    a1ef65438e4a2438df921312be2b65e4f4c3c7ce79975e046e4b6404d8ab75a1

    SHA512

    7b58a17168d21ada4551db4f7640b510d806dae709541c2b605e6fb8ba9573349adabe903d3cf36bcc2228f2b422b530a1a2cc9e63deb3754f358535d560af5d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe
    Filesize

    1.4MB

    MD5

    062f561c8a3d6662aee5199d57c96d7e

    SHA1

    67110402e1525dc59204b1955104ed7f3166cd65

    SHA256

    093bbca595f9f179335d27678fe6fcb25cb08d22c093849ef790abc3da10245a

    SHA512

    b2689d215eb8f3c3e6f5f15e788b623463ad275daf8a9986ceffb728c423fbfea0f2ded850df73cef537dc084d35284837a591f3a52b0070710e5a7bde4d8eb8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4553836.exe
    Filesize

    1.7MB

    MD5

    40a2c1e0fe426012fb45a4a23e4f8466

    SHA1

    c8e3a5013932775f1a4d922befdbea2ea443ff2c

    SHA256

    1660800bfffa705655117608f880fcda5409645459a11fffbf663dfda5d9d918

    SHA512

    94f55e80039ca5db30e4d404b5989196bc0bc30f40bdc30d07ebafaa98e38767dd83d3dd248d3af01ffc46b626c7a7d7e2e59e2e23f406d0c1dd8ee2e2c3faa6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe
    Filesize

    655KB

    MD5

    a26238d202d8891b8c41ff825b824562

    SHA1

    72177137f475b1559aa5e5bd2cd16684e686b2aa

    SHA256

    d0cd9cfc33e4f832251048419212aff0f9a1a9a0bb5bb626b5ef2b010a53e8a6

    SHA512

    43c9a0b662bd180b9f612d63509c71fe54fb944680b6ad5b21ec3b0911a6a6ed5ae3acd0371f463cbb2f01ac78a0f23a028bdaf60e38dceaac9e2b20e1f420cc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe
    Filesize

    640KB

    MD5

    dc103ca98f7c49cb23c3f0cc68bc0eb7

    SHA1

    2daec3ebbbadbf4fa60cc7b28715b687b403c51d

    SHA256

    83002e9175bfacfa1ec914ac38844260d00b690faa2b52a5bdd32a63232b718c

    SHA512

    5a80575884414bd90dd16b16fe67f2eec1829a79f4b8cdc053b0fa69b8e9b4b4f7d95df0e979f37ba7ed48646c34fd11ff54c9eddec1870cf4c6efac05d6002c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • memory/1308-37-0x0000000000730000-0x000000000073A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1372-28-0x0000000000500000-0x000000000050A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1464-42-0x0000000000640000-0x0000000000670000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1464-47-0x0000000004A60000-0x0000000004A66000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1464-48-0x00000000051D0000-0x00000000057E8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1464-49-0x0000000004BC0000-0x0000000004CCA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1464-50-0x0000000004D00000-0x0000000004D12000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1464-51-0x0000000004D20000-0x0000000004D5C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1464-52-0x0000000004DC0000-0x0000000004E0C000-memory.dmp
    Filesize

    304KB

    Download