Overview

overview

10

Static

static

7

05b48b2909...29.exe

windows10-2004-x64

10

143e14de3a...c5.exe

windows10-2004-x64

10

2c899ff55c...31.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

464a716862...38.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

68ca177d42...f8.exe

windows7-x64

7

68ca177d42...f8.exe

windows10-2004-x64

7

6ba0db3b66...b3.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

b6b53c7022...c9.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

10

e04ecd64b5...1b.exe

windows7-x64

3

e04ecd64b5...1b.exe

windows10-2004-x64

10

e38bd93e74...28.exe

windows7-x64

3

e38bd93e74...28.exe

windows10-2004-x64

10

eab14d8dad...38.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

fb49b50c0d...90.exe

windows7-x64

3

fb49b50c0d...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe

  • Size

    1.6MB

  • MD5

    2f1c41adf7b880f2e9f9b1b0286a143b

  • SHA1

    606acc7a67ec4f0241b3850a1b0ce2241774c9de

  • SHA256

    61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b

  • SHA512

    c1b593f1e6600aa2124262f90c0a1ad77f46dc1e87ce836c1d9bf2160352d974f5cbff78100bc7c380071b3de8d0ef3cd653423efa26e73c005beb59a6fa0596

  • SSDEEP

    24576:gye1lDVXnpy0e+JaxMbVa2H2t2BCl1EDD9uh4iVtjGE0Nx:nEneZxoDH42BClumNVL0N

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
    "C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2268
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1164
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2100
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
          4⤵
          • Executes dropped EXE
          PID:2500
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:884

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
      Filesize

      1.4MB

      MD5

      f322468f7b64cecefaf9a0f0faccce20

      SHA1

      3d70724ebe7a280468c06cec4aeff4723eb530be

      SHA256

      d0d0aa49f6e37875f9b5dd0f21ab7ea9a9a366ff47cf69e224a1aa6e5089a24c

      SHA512

      b73f96b0eae3a1ca5da4a964cf56c7a991e5d30796a0f56bd6729dd4dfe542ed1053b7e0d3284bac2d5a1c7e646002fdf11866c094543e2e94847a9ed16b1fff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
      Filesize

      1.3MB

      MD5

      208b54dec1def07b191289f2f777b350

      SHA1

      10bf86ca447e4aa9d59a244824788350d4b4f071

      SHA256

      09b9055edb7d51a08a4b7a7b2ee1d982379fff43c34637084fdd32a412a20974

      SHA512

      06ebe2071211a221f939aa666849012f4d6e1b7855ff8e0df4bda2c0fe1430b564ad1d4209b945cfead695f1503a2dc57af84fae7bd1cf62e71691184a772b2e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
      Filesize

      729KB

      MD5

      066240575f50b7f5987e95a3be5d62dc

      SHA1

      3edf9ff59b4ee474b5d828763d9c4df55bd51179

      SHA256

      5d78ef153cc6b04717c89d059e6b2c6200834f3945d6e762603d53c118bddfd5

      SHA512

      702b9df12dcfb2038eb71e0286f1c6d036df628fee3b9c44b295bf5089ce07c88fd70ac44091eb092c941217a7437210ff792190706568d8608f3a689450d76c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
      Filesize

      638KB

      MD5

      4b1a2d09d57bf0b2fc99d5da960562d5

      SHA1

      d72c7391e795ee360ad860d870d03c58372e5d19

      SHA256

      df3d2938bcbf97d8977a8fe236a2471d529e1b484ba5090635dc3fec80b7b8e3

      SHA512

      4a69463ab5fcb25140b9ce4fece0c2d0e7c3d2827d7d2addc26a38a8c9aeb1787837ade0084c578c46efa2d4b3c98b4fc0b645334796d40d2a73ea4e55d28684

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
      Filesize

      568KB

      MD5

      ae98a36da0e47b966ed93d845206ce38

      SHA1

      1ea9b655c02f2073c92e4a010c25a2c5bcad1ed8

      SHA256

      1c262ccffb16c31cdf0cc414038a3da52f58e209027e5a915f3b6e40be5d3bee

      SHA512

      975b325fdd9cf5f47778742bf53b10a2903caace94b69d59a16c7c8ade15e8bd7d29ed372269bdde0bf76ac8898771601549f993e69c9801ffc11da4168cb1dc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • memory/1164-28-0x0000000000430000-0x000000000043A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2100-37-0x0000000000800000-0x000000000080A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2500-42-0x0000000000490000-0x00000000004C0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2500-47-0x0000000002510000-0x0000000002516000-memory.dmp
      Filesize

      24KB

      Download