Overview

overview

10

Static

static

7

05b48b2909...29.exe

windows10-2004-x64

143e14de3a...c5.exe

windows10-2004-x64

10

2c899ff55c...31.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

464a716862...38.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

68ca177d42...f8.exe

windows7-x64

7

68ca177d42...f8.exe

windows10-2004-x64

7

6ba0db3b66...b3.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

b6b53c7022...c9.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

e04ecd64b5...1b.exe

windows7-x64

3

e04ecd64b5...1b.exe

windows10-2004-x64

10

e38bd93e74...28.exe

windows7-x64

3

e38bd93e74...28.exe

windows10-2004-x64

10

eab14d8dad...38.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

fb49b50c0d...90.exe

windows7-x64

3

fb49b50c0d...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe

  • Size

    1.2MB

  • MD5

    2ff65e9ca8a0b92b2f9ead3ba8dd7ed2

  • SHA1

    bc118c8a4ba9391e5bc4315eef3d0dd83afaebfd

  • SHA256

    4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf

  • SHA512

    4fd459726173efd0412638d81884d4636b385098696b6dee1b403b809a3eb79c2202394ca4ca5e8f3f1630e83e02af723a78931c58242cf161abe1974b32137a

  • SSDEEP

    24576:YyZkbJInDZr4+HhuBykcdH3B3laSprA5MBkWUhLfYTemxmdza8xPjo:fZkbSDZTHc9cdH3aSBA5I4FduaPj

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
    "C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4920
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:852
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1724
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4580
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
            5⤵
            • Executes dropped EXE
            PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
    Filesize

    1.0MB

    MD5

    0ffebb1f8e07e9e177551ddfe1e5deb3

    SHA1

    126013412bc3d49f5c8e3beafe9cfd92fdf59c65

    SHA256

    cd6bdea7c7a6c6ade538cf5d4567881d67e82dd72d473179cb47986367bae628

    SHA512

    1a23a319a9d8c4f025ede357e008d6ee0a656f88e7efa0901a46eef7b6c56248dad5a4b251f82b3d7c1aa73562ff5fa00e5ae2f9262554232badebe4dc71918a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
    Filesize

    909KB

    MD5

    05b31cc1f873f663da8a3673ee1c1e70

    SHA1

    da64bfd433ce785b9d26fb0f6fe4883d9d790b09

    SHA256

    2a5782027e95953e6a505c58e691fc2324135b202c38c437ad4dc8ced47a2feb

    SHA512

    d902b06aebe522c883f782dd299f57d3d1925ab3e4955b8ce6882e53523bd63b9d3f35b8c0f0c6ad8aea0a5e9f9e3ad01fd2bc2096dbe62196ce38bb0f6f40d8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
    Filesize

    725KB

    MD5

    50f2ebe7886d7ecf35f81f720ac270ed

    SHA1

    59f616bc7d655575d54e58c256de026dd0c82c6e

    SHA256

    e127f2e8fb3406e6ce6497ebf04e41c01b95f4a7c2d3c89ecc5fe462dfa62ffd

    SHA512

    d685afabb0bb488b1d6d0c3d69b0175593658f5920d25841086759be73ed79ee426883485013fa5b6f5398372c36145c559404ac7892e559d75846fbaf5adf44

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
    Filesize

    492KB

    MD5

    1bc0f3239045d44d169496f3b247f881

    SHA1

    1884266973607585ec1b134f6009c17e54f3b18f

    SHA256

    8d09dd356bd29f5d38121849999e828d955e116d03542444d0b4f40073596e7f

    SHA512

    dc3a2358d4d2613bb82c60362c409590a8699d53625efd9fd8b853f5e19afed07c798cf66b59d38bd526a80559bc4cc486b23b0f40f3fb120bd61a67946f87a9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
    Filesize

    325KB

    MD5

    c045adc356c9935a873d1cd91cd54989

    SHA1

    06b1b8c34e396a09a69a425af0f8b00671a4f953

    SHA256

    bb2374a0251dd291e217e7c74eac6881cc229a2778ba0047f54e014bebc75a62

    SHA512

    bcab8a6331c4ceb7beeff395fc6d3b8d0ae7e1ae3ea0c45692870aad586563ed8313d24b02d45c69cb0496f7115f6580422637edcb4c188575960819e86f54f0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
    Filesize

    295KB

    MD5

    c43930fbf73244831a96682aba907e8c

    SHA1

    44db4ec9c11a04d56d2bfab7f993abf37a23e6fe

    SHA256

    9beeaf6651baa5e2597a933df6eee18cf168ba41865e18001185613e0949bba3

    SHA512

    6cb91d5c9317f693a04eec12cddef55760619ed65944df60986b009eb1c782833d121788d4352519e6391bed2a06f0f602b1f4a753623c7ac92dd0440dd307af

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
    Filesize

    11KB

    MD5

    f77d78af12b9628421ed4e1dfb7deb13

    SHA1

    9b6fa06af3564e2fe4724d8b5ebfdfd2a7ec0fd5

    SHA256

    10d806abe4d088bbb95c43a04c91f68a10888bd256de9c9a58c4c7642a9572ab

    SHA512

    6c01f44fdb412a58a19ddb4caf73a502a5aae10aecb959a67142ab267ef6732a7e5e6346c1a5ce5aa52823ae5b50372c083e4e59f650c835a38c75d334303e00

    Download Submit
  • memory/1724-35-0x00000000005C0000-0x00000000005FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1724-42-0x0000000006A90000-0x0000000006A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1724-41-0x00000000005C0000-0x00000000005FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3596-53-0x0000000002020000-0x00000000020AC000-memory.dmp
    Filesize

    560KB

    Download
  • memory/3596-60-0x0000000002020000-0x00000000020AC000-memory.dmp
    Filesize

    560KB

    Download
  • memory/3596-62-0x0000000002260000-0x0000000002266000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3596-63-0x000000000AC30000-0x000000000B248000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3596-64-0x0000000005F90000-0x000000000609A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3596-65-0x00000000060C0000-0x00000000060D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3596-66-0x00000000060E0000-0x000000000611C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3596-67-0x00000000048C0000-0x000000000490C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4580-48-0x0000000000BD0000-0x0000000000BDA000-memory.dmp
    Filesize

    40KB

    Download