Overview

overview

10

Static

static

3

00dc3a43dd...78.exe

windows10-2004-x64

10

1b26ae68f4...45.exe

windows10-2004-x64

10

277f52adcf...94.exe

windows10-2004-x64

10

32df5b0360...59.exe

windows10-2004-x64

10

3d03f2fde9...00.exe

windows10-2004-x64

10

50be51fdd5...4b.exe

windows10-2004-x64

10

53b6f1fa7f...02.exe

windows7-x64

10

53b6f1fa7f...02.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

6547f1c95b...de.exe

windows10-2004-x64

10

6c066f3c43...19.exe

windows10-2004-x64

10

6fca9c5ffc...25.exe

windows10-2004-x64

10

9a3f5d3f84...b2.exe

windows10-2004-x64

10

ae66f2f071...07.exe

windows10-2004-x64

10

b11b1b57a3...06.exe

windows10-2004-x64

10

b7da28873d...d0.exe

windows10-2004-x64

10

d49a64853d...65.exe

windows7-x64

3

d49a64853d...65.exe

windows10-2004-x64

10

d599ef82af...3c.exe

windows10-2004-x64

10

d7873c75af...a3.exe

windows10-2004-x64

10

db2419395b...f8.exe

windows10-2004-x64

10

e7b8d2cb79...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 17:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94.exe

  • Size

    389KB

  • MD5

    be20e8d108cf9e94319678c0f61393d4

  • SHA1

    9ca7da9916d071095a2985ecb2408f24f9978453

  • SHA256

    277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94

  • SHA512

    4a60a1bb61a320deabeeebb508685a024c2b6c1d065221bc5a2682a90193300899d49e355675b84293875486cd08e94d582c95df886ca3330bef74cb0921afca

  • SSDEEP

    6144:KPy+bnr+Lp0yN90QE9dx9l253NzJGHDRezddZ5ULvrGEf51/HmbTME:FMr7y90P25uFEnwrGEr/YT5

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94.exe
    "C:\Users\Admin\AppData\Local\Temp\277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3172
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe
        3⤵
        • Executes dropped EXE
        PID:4788
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5108

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe
          Filesize

          206KB

          MD5

          f34c885bc0878d18d10ff2a2bcab37bf

          SHA1

          183ec4b6099090f5e12f2977855a5b8a47434b11

          SHA256

          bc0bd82e116a9895ebc746eb946211813684173fb091a3b5beb68d633d8f8ed7

          SHA512

          ac17cb90087c25fec2966c8ef59192b88d9ae2752d235af76a9b7e73900319750aef27becf5877f89560046b0c0cb43d2901cd501a032295f354fb2f7b27495d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe
          Filesize

          14KB

          MD5

          452bb0fa072d8b5b84e96b8135b88a33

          SHA1

          958d7ebe07651e7de76fa57dad744174a6948840

          SHA256

          e4864ebb7779217e5e02467385f0e1b64b27e1eda7c6ce12c81fa2ba5886d6af

          SHA512

          1f7f6066b5b8c076894aed53d85f46a9c643d41a5faebc84400437bcb797a9b220c70b75be4139c9213121c841e868f2677096bbd167f3f151d7b3152cbdad9b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe
          Filesize

          174KB

          MD5

          29d290bc7cf52245c18068dd18a2b56b

          SHA1

          80834b85700772615c39a38757267968e32f3240

          SHA256

          f66d99d19231a0f6abba5374f8916cdcb478e715c50f29d6e436e54ee0e2db44

          SHA512

          86e90ae7c792bbae7bba8f0ee029c71233e540d74f9786aa3c5f381d2394ce7aa72c5cd6045eb9410821e59ba201558da773fc14e267cff0ca09ccc4a5314bed

          Download Submit

        • memory/3172-14-0x00007FFE245E3000-0x00007FFE245E5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3172-15-0x0000000000E80000-0x0000000000E8A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4788-20-0x00000000004D0000-0x0000000000500000-memory.dmp

          Filesize

          192KB

          Download

        • memory/4788-21-0x0000000002780000-0x0000000002786000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4788-22-0x000000000A900000-0x000000000AF18000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4788-23-0x000000000A480000-0x000000000A58A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4788-24-0x000000000A3C0000-0x000000000A3D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4788-25-0x000000000A420000-0x000000000A45C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4788-26-0x00000000047D0000-0x000000000481C000-memory.dmp

          Filesize

          304KB

          Download