Overview

overview

10

Static

static

7

2260e01650...fc.exe

windows10-2004-x64

10

24b96bca46...df.exe

windows10-2004-x64

10

2590c6aee0...47.exe

windows7-x64

3

2590c6aee0...47.exe

windows10-2004-x64

10

2a4e0bfefe...ad.exe

windows10-2004-x64

10

30b28fbbc6...6a.exe

windows10-2004-x64

10

45405e3261...66.exe

windows10-2004-x64

10

4daea23a41...5a.exe

windows10-2004-x64

10

6568836094...3d.exe

windows10-2004-x64

10

72a27ce3ad...a5.exe

windows10-2004-x64

10

7ba9a39823...5d.exe

windows10-2004-x64

10

7f181e671c...fc.exe

windows7-x64

3

7f181e671c...fc.exe

windows10-2004-x64

10

8a74314c35...5a.exe

windows10-2004-x64

7

ae6ddd393a...d7.exe

windows10-2004-x64

10

b2402bf5ca...fa.exe

windows10-2004-x64

10

c39e49cedb...e5.exe

windows7-x64

7

c39e49cedb...e5.exe

windows10-2004-x64

7

cd321830f5...bc.exe

windows10-2004-x64

10

cfcca94dd6...6e.exe

windows10-2004-x64

10

dfa156ac28...ff.exe

windows10-2004-x64

10

f25337a343...56.exe

windows10-2004-x64

10

f5d16598bf...16.exe

windows7-x64

10

f5d16598bf...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe

  • Size

    919KB

  • MD5

    aa26cccde046b0e54b832825a5756c35

  • SHA1

    f5c538220421870979edb4d93fdf8b02a4d0ecbc

  • SHA256

    b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa

  • SHA512

    60ace7d38dccf257e75c6e369355975b84757c127f93afecd6e58f4316bd7f1d13cf55f7d4264d6928e37f62a37d838f9b044567ea49f8bd27eec9511130a290

  • SSDEEP

    24576:IyAXaONmQk2uEBNOAaIGqgK1wjH9AxXChzyvp:PAr+RpItggoH9ARC4

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe
    "C:\Users\Admin\AppData\Local\Temp\b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1000
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe
          4⤵
          • Executes dropped EXE
          PID:4864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe
    Filesize

    763KB

    MD5

    b48a578588d98c3a62f893c31d186283

    SHA1

    6390bae1ea0bcbd3946a6fe02c96648630a7078e

    SHA256

    12eb65af73d57056b331bbffbd992f9f24d1b8e4a511755169da65e77f541084

    SHA512

    d4ba3cfd9be3460f3a7c499636ba52d8314bdbd8361620126446087668145115ebb61a0e19d84fd60af786f0d555617b1ff6ba8ed9bea6c1625fbf347e70bfbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe
    Filesize

    580KB

    MD5

    f3520c894e9ce7c7dccd10ebcd9396c0

    SHA1

    9e34c4b127ad1323d64505336bb4d8910c0e3816

    SHA256

    683e4cf522ce3fcaeebd4c3651b2b1284f39a5d589cd6c5a914012659b04253a

    SHA512

    fe7097e3c7e7dc39ab30ab46acc13fbecb1a1ed74dff67a76d1e1f4d2b54992dccf8627344a418998f3c4370e62ee308fdce7101478de4d6fa4605a46dd2be4c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe
    Filesize

    294KB

    MD5

    f0cb39848f81ff9d8596467899faf7b5

    SHA1

    a4cfd01761010269909a9dc449d3e61ebd91ea4c

    SHA256

    5acdb9813683437854c30906c4bf78d941a704f4fb8c9c8e04340302856d553c

    SHA512

    6203c1e764d25df982b5f00e7c9949ad01c0baba66be08028a44986a42fba123bd8b08ec922714a7ad7fc52ba59a02321925ae2d11ba12067d2239383cc38855

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe
    Filesize

    491KB

    MD5

    723cd8350a1b5161d46ddaf8ed4014fc

    SHA1

    44cd20f39e87ce79c0564844f4fb303c288d67f5

    SHA256

    8d1bd965483537eace2744419a9f76fabed2c980d2ecf59fe4c8c65f25cd04bb

    SHA512

    fe7da90b1c21f067a815fc7d5b2494f2ca0eb81832b525211beea61e813548c9bdfba28b6ae32a474e337f2f3fe83dc956d95423a9e8ba9d0749ea4af028202f

    Download Submit

  • memory/1520-21-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1520-22-0x0000000001F80000-0x0000000001FBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1520-28-0x0000000001F80000-0x0000000001FBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1520-29-0x0000000002340000-0x0000000002341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4864-36-0x0000000001F70000-0x0000000001FFC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4864-42-0x0000000001F70000-0x0000000001FFC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4864-44-0x0000000002240000-0x0000000002246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4864-45-0x0000000005000000-0x0000000005618000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4864-46-0x0000000004A70000-0x0000000004B7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4864-47-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4864-48-0x0000000004BC0000-0x0000000004BFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4864-49-0x0000000004C30000-0x0000000004C7C000-memory.dmp

    Filesize

    304KB

    Download