Overview

overview

10

Static

static

7

2260e01650...fc.exe

windows10-2004-x64

10

24b96bca46...df.exe

windows10-2004-x64

10

2590c6aee0...47.exe

windows7-x64

3

2590c6aee0...47.exe

windows10-2004-x64

10

2a4e0bfefe...ad.exe

windows10-2004-x64

10

30b28fbbc6...6a.exe

windows10-2004-x64

10

45405e3261...66.exe

windows10-2004-x64

10

4daea23a41...5a.exe

windows10-2004-x64

10

6568836094...3d.exe

windows10-2004-x64

10

72a27ce3ad...a5.exe

windows10-2004-x64

10

7ba9a39823...5d.exe

windows10-2004-x64

10

7f181e671c...fc.exe

windows7-x64

3

7f181e671c...fc.exe

windows10-2004-x64

10

8a74314c35...5a.exe

windows10-2004-x64

7

ae6ddd393a...d7.exe

windows10-2004-x64

10

b2402bf5ca...fa.exe

windows10-2004-x64

10

c39e49cedb...e5.exe

windows7-x64

7

c39e49cedb...e5.exe

windows10-2004-x64

7

cd321830f5...bc.exe

windows10-2004-x64

10

cfcca94dd6...6e.exe

windows10-2004-x64

10

dfa156ac28...ff.exe

windows10-2004-x64

10

f25337a343...56.exe

windows10-2004-x64

10

f5d16598bf...16.exe

windows7-x64

10

f5d16598bf...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe

  • Size

    1.6MB

  • MD5

    aed3e716f608104e2440f5a872c969de

  • SHA1

    07bd20370b5dfebd101d421c64d040163aab20fc

  • SHA256

    cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc

  • SHA512

    80b1c179f57468ff121a0909e7e6940af32122e2086754329463c9c1877ea6e2cd4cfd0eccfe3f31b830a5d51fec6ceaacbd9e6c8eb6254cd734b0c4cdf00b5b

  • SSDEEP

    24576:fyl8gNcSnpEaZYaoMZ7R9DkPAjuhhqT5zoCVQcx/e1jTfIHBx8sEwZZl7:qHDVq0NZkPmKh8zoCVQt1/Inxz

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe
    "C:\Users\Admin\AppData\Local\Temp\cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe
          4⤵
          • Executes dropped EXE
          PID:3824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe
    Filesize

    1.4MB

    MD5

    a9c8938bb80e4535f4d00f93ca4db050

    SHA1

    9875588d3102cb2a50eb5fdc0e517af9676fe769

    SHA256

    faae488d0f36be21caea7908d89e1171fa6292ebc7f06b387835cc1b0e83cc0d

    SHA512

    2a75bbe5717850c7a11ccfd5cecf84bddf982a3512a70909b0d9daf4abe7b217498cc5f147dec1b1b81d2e2d1f7ce54e54eb1fcc15071f3c4f375a0b98ab4d19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe
    Filesize

    1.3MB

    MD5

    9dd971f5c28bd239ce88e6b50cf70234

    SHA1

    c4ef5f8668e15371d14fa93c8b18dc4d578d0d3b

    SHA256

    1f615508a598246fd500720118f9a85603048c8ba6c60484094605ba69ec1ef8

    SHA512

    57330a0c7b4a1b0539f153c4cfc9a159767352f36748de8c9dcafa3adce2652ee758c7d78c1728f6edda2c4c38b04167c1191e54f65c8005e37109b4d1da36dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe
    Filesize

    729KB

    MD5

    640ce7325e5663516b121c5eeeb02dbc

    SHA1

    ac6ba514c9442b43450415b22d6b6fb686485cf7

    SHA256

    589e5e37639cfd78e6b7d7bb05bd072742932309195073812a7104cd9e715fc8

    SHA512

    1fa81a601b38f278b163c6ba04fe20d49c6f258ffbd8a4598553b209a83f0433d868f83f1f47876f2c1edef0b431334ebb8dfbcfb8bad3a3db9ee3f6161e87ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe
    Filesize

    640KB

    MD5

    a23e8566807ee3a468dabd71af03d831

    SHA1

    bdb3d103a6108ba80f05bc73666e74816eb605f8

    SHA256

    8091ea19390957b3e708748238daa02d95f3e2b42abc9d29d7e88172bb344604

    SHA512

    aacfadc599c4e0a1ac54664a30fa6ba165df087b97e6225fe561439d465678fa731dc9712a3e1b30c0d79ecff8a2b8007e11f1653867498472125a4c88b4e827

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe
    Filesize

    568KB

    MD5

    5cef2c3efcc75856638d10e09a8aaa08

    SHA1

    6a91293684bb915d84b394e7a58d92b6c9671c96

    SHA256

    b9d62aff6a5001903f6c1dce538cade7460b8efa1670a18002bd2b758944bd0b

    SHA512

    b20bef185f44d28fcc5e5adfa11991dcb05fae4856e2fc8e1204626e904fb8a90d604377b59a2c9210a3cb632ab08bbbfa04cbaa7fbf958f0735ff9ebd54b0c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/1568-37-0x0000000000300000-0x000000000030A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2492-29-0x0000000000460000-0x000000000046A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3824-42-0x0000000000560000-0x0000000000590000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3824-47-0x0000000002490000-0x0000000002496000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3824-48-0x0000000009FB0000-0x000000000A5C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3824-49-0x000000000A640000-0x000000000A74A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3824-50-0x000000000A780000-0x000000000A792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3824-51-0x000000000A7A0000-0x000000000A7DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3824-52-0x00000000022F0000-0x000000000233C000-memory.dmp

    Filesize

    304KB

    Download