Overview

overview

10

Static

static

3

0f6ce02639...df.exe

windows10-2004-x64

10

17dbf09aca...d0.exe

windows7-x64

3

17dbf09aca...d0.exe

windows10-2004-x64

10

1b624e343d...55.exe

windows10-2004-x64

10

2faa75c50b...6d.exe

windows7-x64

3

2faa75c50b...6d.exe

windows10-2004-x64

10

4be1f370e8...6b.exe

windows7-x64

3

4be1f370e8...6b.exe

windows10-2004-x64

10

576cad65a8...60.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

6eeb3d69d9...69.exe

windows7-x64

3

6eeb3d69d9...69.exe

windows10-2004-x64

10

77b8709187...06.exe

windows7-x64

3

77b8709187...06.exe

windows10-2004-x64

10

7f4e227924...bb.exe

windows7-x64

3

7f4e227924...bb.exe

windows10-2004-x64

10

8a870280a0...35.exe

windows7-x64

3

8a870280a0...35.exe

windows10-2004-x64

10

8db6f54494...1f.exe

windows10-2004-x64

10

b21367ffaa...ef.exe

windows10-2004-x64

10

b62068be50...da.exe

windows10-2004-x64

10

be5114d10d...f3.exe

windows10-2004-x64

10

d191282ff4...7a.exe

windows10-2004-x64

10

de9167b772...91.exe

windows10-2004-x64

10

f6dc0b4c65...d6.exe

windows10-2004-x64

10

f85eca1ce9...65.exe

windows7-x64

3

f85eca1ce9...65.exe

windows10-2004-x64

10

f8dfa98c4e...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe

  • Size

    922KB

  • MD5

    d86f13a3db074ef7115f9b305cdf356d

  • SHA1

    d0f7e04a160f577a0fc1f2855d4b2a75705f6a15

  • SHA256

    b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da

  • SHA512

    95d1cf4a6a8fc9aa0fcb81bacd78051ef8d06a27bca3e27053283006d9052e6a6329fb0cb5625c6cd9298760d379d043ae18dfbf9c55be002a23f8b7a33107b6

  • SSDEEP

    24576:ayCGAwe+RYdJNjQiVFX9ZD9I21pB3C8MMdMxeoG:hCUe+R4JNUilZDH/3MkMxF

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe
    "C:\Users\Admin\AppData\Local\Temp\b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3308
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exe
          4⤵
          • Executes dropped EXE
          PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exe
    Filesize

    767KB

    MD5

    1281cd1a4b74c86c1c542e2ba8a056c0

    SHA1

    9f8c5844c9dd0d4351eae1d558fbb16616b9f65b

    SHA256

    7a27e308a04b0e6f412b5846d1b183a6f7edfefb553e7e406991f2d3a73da460

    SHA512

    b205061159f7b7b1b89f0b15677b03a0eb8e95bb359ed89a52ab1187f537c90bff2d7bfd4c591eccb811928b00ce2e1c60303308cf605d3cc1df448158d3e24a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exe
    Filesize

    583KB

    MD5

    b1595834e5c33b6fd26cca820121d750

    SHA1

    6c8fe5e94b414f7c9504a7ebd9e7e8ebaf555caa

    SHA256

    8452b1d7e654498a2b5d6fa12d32246c2f593c6a1ceb56f080c1657122e13f42

    SHA512

    4cbab776321bc8366f3476312d1762f53475c7afeda8e84e80af0ca70a8e655896bec85bf26f44272aaec9b2f82c680904986c266e567ba182de2b70643e1218

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exe
    Filesize

    295KB

    MD5

    29bc6053fb6e105a20025dfea11d0395

    SHA1

    89dfc239626bf5c21418e484ac5ddad9822c78cf

    SHA256

    1893857d3db2b3406063281bc8bfa14df8ab57b4211721f7e75d2224088716f9

    SHA512

    7d50bc98cfa13c41b51cd47e21c9ed2d1da58f2960212f694b03c645be8351c4409657f2b8ab6f85a97f814e9ff1bb6555abdc80342c26b8ea1b9e18378304e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exe
    Filesize

    492KB

    MD5

    67775affc2dfa05c6ed2f9130a99a130

    SHA1

    456681dbe191a1e743aa3bebbc4020896a18574a

    SHA256

    d3d80e1e81d98f242f792fadd7be21beae90d3c9e6c5ca3ed86cbf3cd5fd7cc2

    SHA512

    b94d2038935a53d572bb7bdac21bb357e4f4642ec0ea4ebbda6a3cb6fc2abb44ff67e02de2dda22420b4ab9ccc37cd041dad54fdd2ff44c67cc431c77ae279de

    Download Submit

  • memory/1800-45-0x00000000080A0000-0x00000000086B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1800-35-0x0000000001FA0000-0x000000000202C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1800-42-0x0000000001FA0000-0x000000000202C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1800-44-0x0000000002380000-0x0000000002386000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1800-46-0x0000000006CD0000-0x0000000006DDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1800-47-0x0000000006E00000-0x0000000006E12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1800-48-0x00000000086C0000-0x00000000086FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1800-49-0x0000000005A10000-0x0000000005A5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3308-29-0x0000000004A80000-0x0000000004A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3308-28-0x00000000004D0000-0x000000000050E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3308-22-0x00000000004D0000-0x000000000050E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3308-21-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download