Overview

overview

10

Static

static

3

00dc3a43dd...78.exe

windows10-2004-x64

10

1b26ae68f4...45.exe

windows10-2004-x64

10

277f52adcf...94.exe

windows10-2004-x64

10

32df5b0360...59.exe

windows10-2004-x64

10

3d03f2fde9...00.exe

windows10-2004-x64

10

50be51fdd5...4b.exe

windows10-2004-x64

10

53b6f1fa7f...02.exe

windows7-x64

10

53b6f1fa7f...02.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

6547f1c95b...de.exe

windows10-2004-x64

10

6c066f3c43...19.exe

windows10-2004-x64

10

6fca9c5ffc...25.exe

windows10-2004-x64

10

9a3f5d3f84...b2.exe

windows10-2004-x64

10

ae66f2f071...07.exe

windows10-2004-x64

10

b11b1b57a3...06.exe

windows10-2004-x64

10

b7da28873d...d0.exe

windows10-2004-x64

10

d49a64853d...65.exe

windows7-x64

3

d49a64853d...65.exe

windows10-2004-x64

10

d599ef82af...3c.exe

windows10-2004-x64

10

d7873c75af...a3.exe

windows10-2004-x64

10

db2419395b...f8.exe

windows10-2004-x64

10

e7b8d2cb79...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe

  • Size

    1.5MB

  • MD5

    b6bd0fe9e2f14162d22a601e59a1740b

  • SHA1

    5a60ae626817e3638caca0fc80ad9a8200357e52

  • SHA256

    6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119

  • SHA512

    af2f072c83766dc801720af1f3a94dca12035b46b3a038a4df7afecfb85021020f25b2f4827bcba7d6109176631730e0527772b37946564a40d6dc9ea92ae8d0

  • SSDEEP

    24576:GygAJsoOr2n6P8VRrbjJJ+XODPh25hMojCFMQsEtJoFs/dboavD3ZCzY2:VgABQ+6kpcoh2MntHdbJvD3ZCz

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe
    "C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3464
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5016
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
          4⤵
          • Executes dropped EXE
          PID:4824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
    Filesize

    1.4MB

    MD5

    6dcf605b283d99f56267f2b456b144b0

    SHA1

    07c2968c300b767ea952dfa70766de0f5e0a01e4

    SHA256

    338a566494a7bec1e3b1a3402a6411cdce4f6b9a43f91cf635b6e623e841b0b2

    SHA512

    19db68dbdb0a91825cecd2cc95dff3c4b6ea4e7bda9bd5133a8659889278e2050e52a19c7b2e3c92f3141ed5c0f01218b274b84b34750fb8f184dd1018d7f6ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
    Filesize

    1.2MB

    MD5

    4b8bec8c7d90c10a6c3a4206cd0daacd

    SHA1

    3ee5c267c9f1941a77df3fe9f7496ee317c9b946

    SHA256

    5bbd2b8698ae1d319de29643dedf3409bb9dd36465d0819a5ee0f8d2bc699dc3

    SHA512

    21541e4b32b87567499a5630950c46d3cdb93daa1cd56bfff2fb510b3df2d1483973a183a4a7cdbd5f966f5af043999eb70b5fc41d47e6af2e743884062ffe74

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
    Filesize

    692KB

    MD5

    e6cd29bf585e04ccee606ec312366e6e

    SHA1

    6ce37e0bce59a8902615918436a0e9f8771aedab

    SHA256

    0c52bae0af3af62e8abfeb1f39bef2518d59a00d62e3b0f8a3617f1b934192bf

    SHA512

    02258ada9982d2553c99abd3d8ecf5322aadfaceaa09373bd77029a43f743a55992206cc9d16394a112ef989a24bd96ba50cbaa0ec9557f207f8d42207c60100

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
    Filesize

    620KB

    MD5

    b16e4a16f725f2433e720ce4e53b11c3

    SHA1

    d0ce61897edd0987c07973f8528843657059e1c7

    SHA256

    5cd250f298fde835d29a5626f9f04885e6ab5d2038524b54c17418a7803aa4ed

    SHA512

    805c1a61ca8023438f695bf72c69cf6e7eca12f0378ad7cf429607481da678c53eaea9bf0849505e493e83fbcab61abc240320f9d10d0633eb9c046a63e0fc03

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
    Filesize

    530KB

    MD5

    168857576903636965cac80e95ea7283

    SHA1

    96d8cac6e77c26e6eb0f998486ab5fa944dcefd6

    SHA256

    929f8a773b6bd8b411cc67be1d2d091486dc07b342b953778f3bb11296e04013

    SHA512

    61af83f8484c30e950c940eba5cb112f3981ad408c8133d50a321e1239b16ebb0e031b8d683437386baf925734a103a76b904cdf1a8bff0090a144199df07ab4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/1036-28-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4824-42-0x0000000000540000-0x0000000000570000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4824-47-0x0000000002060000-0x0000000002066000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4824-48-0x0000000004C20000-0x0000000005238000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4824-49-0x0000000005240000-0x000000000534A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4824-50-0x0000000005360000-0x0000000005372000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4824-51-0x0000000005380000-0x00000000053BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4824-52-0x0000000005420000-0x000000000546C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5016-37-0x0000000000C00000-0x0000000000C0A000-memory.dmp

    Filesize

    40KB

    Download