Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 18:07 UTC

General

  • Target

    b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe

  • Size

    925KB

  • MD5

    dd93ee60c259b6d6649066385f4244ee

  • SHA1

    d07a767c2cc5a3f4e22536f80cd5403d48e79f31

  • SHA256

    b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f

  • SHA512

    77da63cbd5f5c49e42b7c8d31388ce5a5f310ab7435e9200ad94f74339d371dd8e4100c1de2700f908c44f849e293b4ae80d8354c03e9c20ab5057df4d2d126f

  • SSDEEP

    24576:jyvRZtvqBOv+fxZ0j5MqJu/2vUx4SoSoG:2vXtCVxZ06qg/lX

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
    "C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4364
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe
          4⤵
          • Executes dropped EXE
          PID:4644
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
    1⤵
      PID:4072

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      71.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-be
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      88.221.83.203:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Thu, 09 May 2024 18:08:08 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.c753dd58.1715278088.966dbbd
    • flag-us
      DNS
      203.83.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.83.221.88.in-addr.arpa
      IN PTR
      Response
      203.83.221.88.in-addr.arpa
      IN PTR
      a88-221-83-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.121.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.121.18.2.in-addr.arpa
      IN PTR
      Response
      31.121.18.2.in-addr.arpa
      IN PTR
      a2-18-121-31deploystaticakamaitechnologiescom
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • 88.221.83.203:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.4kB
      6.4kB
      16
      12

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 77.91.68.56:19071
      l6091152.exe
      260 B
      5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
      5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
      5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
      5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
      5
    • 77.91.68.56:19071
      l6091152.exe
      208 B
      4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      71.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      71.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      203.83.221.88.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      203.83.221.88.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      31.121.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      31.121.18.2.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe

      Filesize

      769KB

      MD5

      672bff291b38885617823399ef70b555

      SHA1

      4a7f60f83e53a7da12068d50e8e0a92c4633f187

      SHA256

      b536b905629c03cb86e63c1bf94b1cbf8a7a792df24d4904c4918e64d7c18fec

      SHA512

      167ecae7df2a247e326c6bb329953b19e41b2cff7e730e11a3f6fabf1aefb6c119f1cf2495388dec0961328c2e7b585b0b01b4ccc9ed32f6f206c56d08afb769

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe

      Filesize

      585KB

      MD5

      b33a2914d46d878780b909b6f1c9e28a

      SHA1

      37365cb918168c76217112923047b8cb5fce24ff

      SHA256

      cd76d29e86c9061251c4db66dd62b6e9721e8f333e800e7b3e8dd3ab7f23384b

      SHA512

      1c42a950e9b4ad4c63d07b2da343cb273057337d379f38bbd7914de31b8a527b2c7b0bc9fe07a2096fd4726ca88a3c1df2e2e7a7d2a643b24f84aff32325ee49

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe

      Filesize

      295KB

      MD5

      09eec7f364a56ec5491caf643ad17697

      SHA1

      6b1d0a4ca9ed4ced105e7eec6dfc2a7d3e65d415

      SHA256

      3c95a536651751d027c53005524d9d580917f52e4c0a0c30fac8f6fd55279cf3

      SHA512

      4f97ae75bdbac6f2c52c8189c31ee3b80c6991a15b017f0a5aac6feebe83c6505fefaf0d79c980f967bd5efec7c35961d30e50ddb19969a05be8aec5cdbbb1a0

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe

      Filesize

      493KB

      MD5

      dc11c027caa1f3eca389e929921e4a1a

      SHA1

      7bc540dbfa7367f8c7e1761c4de6cb110aceda76

      SHA256

      cc338e14b24d1832ff2badca78ba12388cc65b05124b525e95080c969e805966

      SHA512

      b1153e9eecbf5bdae7093fc472f331f0c71aedeee8072fc54b9657986d42a5a653e88a8712fa9230bdf1bc516ff630e5c1c791ab41ed822b6592ff60103c5105

    • memory/4364-21-0x0000000000570000-0x00000000005AE000-memory.dmp

      Filesize

      248KB

    • memory/4364-27-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

    • memory/4364-28-0x0000000000570000-0x00000000005AE000-memory.dmp

      Filesize

      248KB

    • memory/4364-29-0x0000000002330000-0x0000000002331000-memory.dmp

      Filesize

      4KB

    • memory/4644-36-0x0000000002040000-0x00000000020CC000-memory.dmp

      Filesize

      560KB

    • memory/4644-42-0x0000000002040000-0x00000000020CC000-memory.dmp

      Filesize

      560KB

    • memory/4644-44-0x00000000022D0000-0x00000000022D6000-memory.dmp

      Filesize

      24KB

    • memory/4644-45-0x0000000005E30000-0x0000000006448000-memory.dmp

      Filesize

      6.1MB

    • memory/4644-46-0x0000000004A90000-0x0000000004B9A000-memory.dmp

      Filesize

      1.0MB

    • memory/4644-47-0x0000000006470000-0x0000000006482000-memory.dmp

      Filesize

      72KB

    • memory/4644-48-0x0000000006490000-0x00000000064CC000-memory.dmp

      Filesize

      240KB

    • memory/4644-49-0x0000000006500000-0x000000000654C000-memory.dmp

      Filesize

      304KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.