Overview

overview

10

Static

static

7

2260e01650...fc.exe

windows10-2004-x64

10

24b96bca46...df.exe

windows10-2004-x64

10

2590c6aee0...47.exe

windows7-x64

3

2590c6aee0...47.exe

windows10-2004-x64

10

2a4e0bfefe...ad.exe

windows10-2004-x64

10

30b28fbbc6...6a.exe

windows10-2004-x64

10

45405e3261...66.exe

windows10-2004-x64

10

4daea23a41...5a.exe

windows10-2004-x64

10

6568836094...3d.exe

windows10-2004-x64

10

72a27ce3ad...a5.exe

windows10-2004-x64

10

7ba9a39823...5d.exe

windows10-2004-x64

10

7f181e671c...fc.exe

windows7-x64

3

7f181e671c...fc.exe

windows10-2004-x64

10

8a74314c35...5a.exe

windows10-2004-x64

7

ae6ddd393a...d7.exe

windows10-2004-x64

10

b2402bf5ca...fa.exe

windows10-2004-x64

10

c39e49cedb...e5.exe

windows7-x64

7

c39e49cedb...e5.exe

windows10-2004-x64

7

cd321830f5...bc.exe

windows10-2004-x64

10

cfcca94dd6...6e.exe

windows10-2004-x64

10

dfa156ac28...ff.exe

windows10-2004-x64

10

f25337a343...56.exe

windows10-2004-x64

10

f5d16598bf...16.exe

windows7-x64

10

f5d16598bf...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a.exe

  • Size

    307KB

  • MD5

    a9938a8bf2e4c5465b0c1f8d94199778

  • SHA1

    21a10d69514111047d789e5fabe472a9cb8b190f

  • SHA256

    4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a

  • SHA512

    5404f81f3dae9f4c5192c18448aa15f90ff15e5823d6f971cafb3670d301f620c0928ed02bec680fedb7213b631d7e72e1748e097a0c477fa73df7c430f320f2

  • SSDEEP

    6144:KLy+bnr+lp0yN90QEv5F5OYc1u31g4TByxV7KJytDAUYss:dMrZy90Pxc1u31TTExV7KEt0UYss

Score
10/10
healerredlinedumuddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a.exe
    "C:\Users\Admin\AppData\Local\Temp\4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6930139.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6930139.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4684
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9939101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9939101.exe
      2⤵
      • Executes dropped EXE
      PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6930139.exe
    Filesize

    180KB

    MD5

    83bf542e1973fa2acad4903024ddccfe

    SHA1

    364e5c9d74370c62541c918d9040f0c607d547b6

    SHA256

    eaafb2e0c7770c617b9349f47f8c7d76e3a523c80096c837ba61a904a6549a02

    SHA512

    0aaa961c9c675b7a6968ec12cb2d3ab1767689ac4631ac9409395ebd5f988b50985e11b1aab340ef09863f6827408de5749cb4461bc34a0be9d8803a6d835ecd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9939101.exe
    Filesize

    168KB

    MD5

    0b41b1ec0d807f087a7d78136bc00f26

    SHA1

    927204f69df79a69811f68dab540c341d915bc16

    SHA256

    273855da6b0874cc5cbbb1f51ea29f5dbf61d23f6dadd76ad3a0e46113c32d9b

    SHA512

    84f1e11f6db2804290d36cf9c39bac7ab2789812bd9c7a2386579407bafb397dd6d88fb79f8e1dbeafa1d0122e36b62268a2d01d6a2c0db5dbe6b50bf4c80252

    Download Submit
  • memory/1076-55-0x0000000073E30000-0x0000000073EDB000-memory.dmp
    Filesize

    684KB

    Download
  • memory/1076-54-0x0000000004B80000-0x0000000004BCC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1076-53-0x0000000004B30000-0x0000000004B6C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1076-52-0x0000000073E30000-0x0000000073EDB000-memory.dmp
    Filesize

    684KB

    Download
  • memory/1076-51-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1076-50-0x0000000004BE0000-0x0000000004CEA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1076-49-0x00000000050F0000-0x0000000005708000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1076-48-0x00000000023E0000-0x00000000023E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1076-47-0x0000000073E30000-0x0000000073EDB000-memory.dmp
    Filesize

    684KB

    Download
  • memory/1076-46-0x0000000000150000-0x0000000000180000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4684-37-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-29-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-25-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-23-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-21-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-19-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-17-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-15-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-13-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-40-0x0000000073E80000-0x0000000074630000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4684-42-0x0000000073E80000-0x0000000074630000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4684-27-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-31-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-33-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-35-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-39-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-12-0x0000000004F40000-0x0000000004F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-11-0x0000000004F40000-0x0000000004F58000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4684-10-0x0000000004950000-0x0000000004EF4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4684-9-0x0000000073E80000-0x0000000074630000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4684-8-0x00000000048F0000-0x000000000490A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4684-7-0x0000000073E8E000-0x0000000073E8F000-memory.dmp
    Filesize

    4KB

    Download