Overview

overview

10

Static

static

3

0cc30df7f6...35.exe

windows10-2004-x64

10

1208df4133...ab.exe

windows10-2004-x64

10

2d6ce3858d...b0.exe

windows7-x64

3

2d6ce3858d...b0.exe

windows10-2004-x64

10

3a484bb7d4...29.exe

windows10-2004-x64

10

3e36cb02ee...9a.exe

windows10-2004-x64

10

3f3ae36481...68.exe

windows7-x64

1

3f3ae36481...68.exe

windows10-2004-x64

1

4be1f370e8...6b.exe

windows7-x64

3

4be1f370e8...6b.exe

windows10-2004-x64

10

54ca5c456c...76.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

8db6f54494...1f.exe

windows10-2004-x64

10

b07c30e9c2...0f.exe

windows10-2004-x64

10

b62068be50...da.exe

windows10-2004-x64

10

c1c526ed2a...52.exe

windows10-2004-x64

10

cd9de412cd...04.exe

windows7-x64

10

cd9de412cd...04.exe

windows10-2004-x64

10

dce60a71ca...cc.exe

windows10-2004-x64

e25842dbe6...9e.exe

windows10-2004-x64

10

f358ce518b...e2.exe

windows10-2004-x64

9

f5bf417643...17.exe

windows7-x64

3

f5bf417643...17.exe

windows10-2004-x64

10

f6dc0b4c65...d6.exe

windows10-2004-x64

10

f8dfa98c4e...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe

  • Size

    922KB

  • MD5

    d86f13a3db074ef7115f9b305cdf356d

  • SHA1

    d0f7e04a160f577a0fc1f2855d4b2a75705f6a15

  • SHA256

    b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da

  • SHA512

    95d1cf4a6a8fc9aa0fcb81bacd78051ef8d06a27bca3e27053283006d9052e6a6329fb0cb5625c6cd9298760d379d043ae18dfbf9c55be002a23f8b7a33107b6

  • SSDEEP

    24576:ayCGAwe+RYdJNjQiVFX9ZD9I21pB3C8MMdMxeoG:hCUe+R4JNUilZDH/3MkMxF

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe
    "C:\Users\Admin\AppData\Local\Temp\b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3364
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exe
          4⤵
          • Executes dropped EXE
          PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exe
    Filesize

    767KB

    MD5

    1281cd1a4b74c86c1c542e2ba8a056c0

    SHA1

    9f8c5844c9dd0d4351eae1d558fbb16616b9f65b

    SHA256

    7a27e308a04b0e6f412b5846d1b183a6f7edfefb553e7e406991f2d3a73da460

    SHA512

    b205061159f7b7b1b89f0b15677b03a0eb8e95bb359ed89a52ab1187f537c90bff2d7bfd4c591eccb811928b00ce2e1c60303308cf605d3cc1df448158d3e24a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exe
    Filesize

    583KB

    MD5

    b1595834e5c33b6fd26cca820121d750

    SHA1

    6c8fe5e94b414f7c9504a7ebd9e7e8ebaf555caa

    SHA256

    8452b1d7e654498a2b5d6fa12d32246c2f593c6a1ceb56f080c1657122e13f42

    SHA512

    4cbab776321bc8366f3476312d1762f53475c7afeda8e84e80af0ca70a8e655896bec85bf26f44272aaec9b2f82c680904986c266e567ba182de2b70643e1218

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exe
    Filesize

    295KB

    MD5

    29bc6053fb6e105a20025dfea11d0395

    SHA1

    89dfc239626bf5c21418e484ac5ddad9822c78cf

    SHA256

    1893857d3db2b3406063281bc8bfa14df8ab57b4211721f7e75d2224088716f9

    SHA512

    7d50bc98cfa13c41b51cd47e21c9ed2d1da58f2960212f694b03c645be8351c4409657f2b8ab6f85a97f814e9ff1bb6555abdc80342c26b8ea1b9e18378304e2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exe
    Filesize

    492KB

    MD5

    67775affc2dfa05c6ed2f9130a99a130

    SHA1

    456681dbe191a1e743aa3bebbc4020896a18574a

    SHA256

    d3d80e1e81d98f242f792fadd7be21beae90d3c9e6c5ca3ed86cbf3cd5fd7cc2

    SHA512

    b94d2038935a53d572bb7bdac21bb357e4f4642ec0ea4ebbda6a3cb6fc2abb44ff67e02de2dda22420b4ab9ccc37cd041dad54fdd2ff44c67cc431c77ae279de

    Download Submit
  • memory/3364-21-0x0000000000490000-0x00000000004CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3364-27-0x0000000000401000-0x0000000000404000-memory.dmp
    Filesize

    12KB

    Download
  • memory/3364-29-0x0000000004A80000-0x0000000004A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3364-28-0x0000000000490000-0x00000000004CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4984-36-0x0000000000610000-0x000000000069C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/4984-42-0x0000000000610000-0x000000000069C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/4984-44-0x00000000043E0000-0x00000000043E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4984-45-0x00000000086E0000-0x0000000008CF8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4984-46-0x00000000080C0000-0x00000000081CA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4984-47-0x00000000081F0000-0x0000000008202000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4984-48-0x0000000008210000-0x000000000824C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4984-49-0x0000000005B30000-0x0000000005B7C000-memory.dmp
    Filesize

    304KB

    Download