Overview

overview

10

Static

static

3

03cef1108b...25.exe

windows10-2004-x64

10

062bf5eda9...2b.exe

windows10-2004-x64

10

1c0cc29edf...ac.exe

windows10-2004-x64

10

1c46e1db34...f7.exe

windows10-2004-x64

10

20811d5e08...84.exe

windows10-2004-x64

10

28627b3333...c8.exe

windows10-2004-x64

10

437213eb4b...b5.exe

windows10-2004-x64

10

54a19d5a7a...d8.exe

windows10-2004-x64

10

6407653fb9...7c.exe

windows10-2004-x64

10

6dd993cade...4e.exe

windows10-2004-x64

10

764d92d88b...5f.exe

windows10-2004-x64

10

9c51d813e0...74.exe

windows7-x64

3

9c51d813e0...74.exe

windows10-2004-x64

10

b813f799e9...17.exe

windows10-2004-x64

10

bc2ed7f926...f9.exe

windows10-2004-x64

10

c1a9af1ad6...d5.exe

windows10-2004-x64

10

cf90d774fa...01.exe

windows10-2004-x64

10

e65fa29126...d8.exe

windows10-2004-x64

10

e81854abc9...1a.exe

windows10-2004-x64

10

ed835b70d5...6c.exe

windows10-2004-x64

10

f48c36cb91...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe

  • Size

    1.2MB

  • MD5

    23f4a44c0cc77486d90c2b5d3db5dfd7

  • SHA1

    7c42f90496bc5d268c92f2c07846c32b7f7513f8

  • SHA256

    bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9

  • SHA512

    f4dc5891381f139f01e073b20d0c2c311633eba3cf92b045a739413083a17934f1201b56a48a444325e26b5827077a6ca79bc8aa7a7b3f7fb4e3c855fc222527

  • SSDEEP

    24576:My3sw5khZLecoTZ5TlNzhW4hXNcWCz4YPrwk3iRkrIoDb9nBziioUiDfy:7YhZmTTTlBMmXWt4C1kyhQ37

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe
    "C:\Users\Admin\AppData\Local\Temp\bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354038.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354038.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703930.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703930.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7884749.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7884749.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3848
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0577172.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0577172.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9890667.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9890667.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:928
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1518794.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1518794.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3532
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1251968.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1251968.exe
            5⤵
            • Executes dropped EXE
            PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354038.exe
    Filesize

    1.0MB

    MD5

    92e86d78d4350887640aaeeb5e7c3425

    SHA1

    d0d8bdc560dad3ac4a84b652726fa63165c04d13

    SHA256

    9e4df12d224fdc7667d06cf88a1905f94ae5fdfd27a13b61324fc0331b22d184

    SHA512

    7a95708827257d4b74862cc40f7c907e361bf1c26ed7db03f3d98a3248fb47a9561b1778626354bbbc5adcb6bbf5b58cc3a51d0cf48d812885fd63016fd55d4b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703930.exe
    Filesize

    907KB

    MD5

    8d4c8d0b1f299cc81343137775122dec

    SHA1

    92bf8571f82db7b3bcb281d5ab80530e5e60e9d9

    SHA256

    74dfba8da94d0f048336d8eec0a3110a4be3f0b896c981ac34af9c35297d8522

    SHA512

    802f3c84faa4021a8fc7b8ecffd9f70b657246d9e566bdb4ffbc717bf827d3cedd5bb31c9d219f3f6a7115147d42ddfa2b52f1875dd23eb216b8fcd99a7afa7c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7884749.exe
    Filesize

    723KB

    MD5

    db3ef61c2c9c99656329b695b68ffd39

    SHA1

    4b594f448eb1ab8b4c0984db0b4e921a12e0551c

    SHA256

    766828940f20ed4e5a0feb58c5f264aaa5f4050b68da0335bbbb7d9073d96de6

    SHA512

    81f7c478b412db1bb9e1a693566a64eb61b76f85a2fd70d9cb21d1205067192b591e1a1ce37240fe86048f3f1578f6ee7f44e4bcb1bc6cb14fd02c681244f4a7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1251968.exe
    Filesize

    493KB

    MD5

    9aee504b815fef2bfe0ce1b11a601fcb

    SHA1

    62b23efee83d87063fdd0b1d62acc67021b230ee

    SHA256

    8b1f80f97032002f7b6a451ebf1922d4df8d81ed2995bdc82e7da19b4ae28598

    SHA512

    2bf36835f5b4619eb982313d85db2410adb98e2cb566b6ecbc42e017c038ba1ea2919883f8802804d8e56c881804a92034dacda6d4630a4d12c5f8f5ab5ee2bb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0577172.exe
    Filesize

    324KB

    MD5

    49ca4635866912230c077d2b1fe0cc2b

    SHA1

    c4f544dddff8df94353625657ff7a5254b70ef82

    SHA256

    15547ab2ac86255c8c1678e626e57777317237a9813e287c7739decf5a58195f

    SHA512

    87ed81100bdd3071ef93b89ce863a22475ab4eae6ddf5181e7472cf398c52e8f6103ea356af6186ac9aa805252204ca8b854c1c7d0253a46e3a18e5d69c75267

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9890667.exe
    Filesize

    294KB

    MD5

    81e48785f5bdd376bd6544827f5c4572

    SHA1

    5877519fb94e20ba97102d0bf51614e8a1badac8

    SHA256

    73d04daa6938538edc7c960bdbc34083c580c611d77a05689ee440fb708e1730

    SHA512

    d5b276128acb072717ec6e133bba9d0f92eed651244663cf35add8f532747d182c19e73e12635c2413b87dfe984f2789722eb5ceb46ed0f0d7bd969622faaa20

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1518794.exe
    Filesize

    11KB

    MD5

    3ac1b24465f4e57bc71bd5cffac8250b

    SHA1

    c8f45bd1dae58b1b2245198b67cb2fa1e3b6d09c

    SHA256

    406657aaf7b8938aa5db2bff065067fd426907275f7164414bf6e93dc5a26853

    SHA512

    f6653af6ee91930162954b1e4c936a04acc298ad590a9b8411dd6568a44253ca9596863087b90d89cf8b378445e63c4fafa9d6e3ac38f13ff76a9fef6070a1b2

    Download Submit
  • memory/928-37-0x0000000000580000-0x00000000005BE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/928-41-0x0000000000580000-0x00000000005BE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/928-42-0x0000000002530000-0x0000000002531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-54-0x0000000002030000-0x00000000020BC000-memory.dmp
    Filesize

    560KB

    Download
  • memory/2172-60-0x0000000002030000-0x00000000020BC000-memory.dmp
    Filesize

    560KB

    Download
  • memory/2172-62-0x00000000023F0000-0x00000000023F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2172-63-0x0000000006CF0000-0x0000000007308000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2172-64-0x0000000007310000-0x000000000741A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2172-65-0x0000000006A90000-0x0000000006AA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2172-66-0x0000000006AB0000-0x0000000006AEC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2172-67-0x0000000006B40000-0x0000000006B8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3532-48-0x0000000000450000-0x000000000045A000-memory.dmp
    Filesize

    40KB

    Download