Overview

overview

10

Static

static

7

05b48b2909...29.exe

windows10-2004-x64

10

143e14de3a...c5.exe

windows10-2004-x64

10

2c899ff55c...31.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

464a716862...38.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

68ca177d42...f8.exe

windows7-x64

7

68ca177d42...f8.exe

windows10-2004-x64

7

6ba0db3b66...b3.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

b6b53c7022...c9.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

10

e04ecd64b5...1b.exe

windows7-x64

3

e04ecd64b5...1b.exe

windows10-2004-x64

10

e38bd93e74...28.exe

windows7-x64

3

e38bd93e74...28.exe

windows10-2004-x64

10

eab14d8dad...38.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

fb49b50c0d...90.exe

windows7-x64

3

fb49b50c0d...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe

  • Size

    479KB

  • MD5

    2cb6553c9840b3d0b75e3cb6dfceabdb

  • SHA1

    b795b91e6e19782f031fbdae21de93ea2b7be2be

  • SHA256

    eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738

  • SHA512

    3025a44d0ebb216787f8c39833aa68450592891f7d861a8e010c2f537ea7190192572c0a8a61591f1f889401dcc07ebf4a1b027c692438826b8097907aac9314

  • SSDEEP

    12288:7MrLy90YhqS1jB9dQopQaVuKga3WM3s0l5f+nf:Iy9UUldMJaCQmf

Score
10/10
healerredlinedumuddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe
    "C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
        3⤵
        • Executes dropped EXE
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
    Filesize

    307KB

    MD5

    216c883d69e5b676dadcbbc3c49b2ea7

    SHA1

    bd25ba694b75cfc5c747073abbe9344001c05d48

    SHA256

    cd05c707896cf6721f13c5f314b2a73e413a8bc42acd0b01164a2d36426728c7

    SHA512

    b3b74dea447966ffde82d33e7ae96df894e8145a431eb795af1d882358814ceafc2b22406a522c114a6abcd9b43f2ee166f6c492ed1194aab257b314c3bb5120

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
    Filesize

    180KB

    MD5

    769430943362861334421dba770826e7

    SHA1

    f4452cae4df613a4a7cb22da4ff12a671e0debb4

    SHA256

    9eb85dd00a91711de4dbcb01f144368839954d6ec1bdc80bf3df63123b55089d

    SHA512

    a33420ec4fdda34810b86899b12d38449a85af6b46ac88d630b71bd92f5e9f74fad13b0f51d948bbd3de43d060632af5b81deffb692a5e3e4e6a327614434741

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
    Filesize

    168KB

    MD5

    c89a4c50b55d8b6f3a41d465a1aec944

    SHA1

    5ffbb28b771af6bc8f9f327294605c4bb4edfa65

    SHA256

    b1266f818eaf91dfe5c7aa2deaf6a428374e2bee21deffb52a3b1c22a49b8759

    SHA512

    29d7856defe832254a4e0f5d90ada57090bb9f960a8d53deb49273702e3eee04bfe25ac7c0ea1367a76687a1061e16302dcb6147bed30acec4901a2c83418d12

    Download Submit

  • memory/2096-60-0x0000000005390000-0x00000000053DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2096-59-0x0000000005210000-0x000000000524C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2096-58-0x00000000051B0000-0x00000000051C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2096-57-0x0000000005280000-0x000000000538A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2096-56-0x0000000005750000-0x0000000005D68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2096-55-0x0000000004E90000-0x0000000004E96000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2096-54-0x0000000000830000-0x0000000000860000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3468-30-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-20-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-38-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-36-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-34-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-32-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-42-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-28-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-26-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-24-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-22-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-40-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-47-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-48-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-50-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-46-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-44-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-19-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-18-0x0000000004990000-0x00000000049A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3468-17-0x0000000004A20000-0x0000000004FC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3468-16-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-15-0x0000000002190000-0x00000000021AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3468-14-0x000000007426E000-0x000000007426F000-memory.dmp

    Filesize

    4KB

    Download