Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

1d089addfe...b5.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

3ab23a3036...c6.exe

windows10-2004-x64

10

58ac39bbc6...9e.exe

windows10-2004-x64

10

64792ffeec...35.exe

windows10-2004-x64

10

654aa4d5e8...3b.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

71d1420ff1...80.exe

windows10-2004-x64

10

7a08e2a624...2b.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

cbd8058875...48.exe

windows7-x64

3

cbd8058875...48.exe

windows10-2004-x64

10

ec20c35511...9b.exe

windows10-2004-x64

10

eca60134d9...3f.exe

windows10-2004-x64

10

ecc005f21f...de.exe

windows10-2004-x64

f0fb625894...03.exe

windows10-2004-x64

10

f66a0103e4...71.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe

  • Size

    389KB

  • MD5

    10d90091ef4d583803f960e642111708

  • SHA1

    9a36e16049aca4f664c3802003afa15637326ccc

  • SHA256

    f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203

  • SHA512

    01891a9da02ab953a654f96bc927df089e11c28dff9983277621cffe463da5ff3a888992daea3f1f82d68fa1ec21ea6502c6ea4ceeb0495b3a13d813b438bd2c

  • SSDEEP

    6144:K/y+bnr+5p0yN90QEwBYGFRxbEZcRaEHIpj1XH8bbvymQmiaKq9REG8dq2:pMrpy90LUIZ1EHEBisG8dF

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe
    "C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exe
        3⤵
        • Executes dropped EXE
        PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe
    Filesize

    206KB

    MD5

    939d6f1624acdf247b27e417461f6fc2

    SHA1

    ababd4e5b9de14e4db986e9ce35439f8a5b29386

    SHA256

    006b489b6a848040e6f48669e137288e8d58d22f75e6068f32a1b1e7c1c168d8

    SHA512

    b67ae62b285f9e4888ab9081b5a8a1e58d4135bfee3e10782b44ab9250a259078b59b16457cbba3ebd34649b50db6c448c0e1c80a4e0c0358e29568d8735d034

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe
    Filesize

    14KB

    MD5

    6bdbfe0e106a0b46337cc348201232fc

    SHA1

    9456f1008994ed07207269bf7fba4d7c5b075820

    SHA256

    552c2745a35630d97283d469214d8b3276ad11187106a62bb22a8363246b2c02

    SHA512

    5b1e96a8760b7c45edd7857a12039eeb64f5f25bc1f7d216a63661b0933589c5fe3a2075f666947fb2c3a32f27a4077c99d971f8d5c8373e26baed004af663a5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exe
    Filesize

    173KB

    MD5

    0a6b4b6dc4ea62763a5d60c97a069bc0

    SHA1

    59c43e0db270ec2bdb287d6fc2f6782df3fb6763

    SHA256

    db4738b7198f819e211e04cd15957e5dc3e8a63d37f9f985f2decb7963d156b3

    SHA512

    85f48a2c1ae7e0b59c821de75ba85086377d72ed7bdd0bcacb9af620a18a02af1e91547b2fbbd8823e3b1dcdb11a907ef1fe187285c8299c1cd54b68f41cd445

    Download Submit
  • memory/2116-15-0x00007FFD84113000-0x00007FFD84115000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-14-0x0000000000F90000-0x0000000000F9A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3716-20-0x00000000009B0000-0x00000000009E0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3716-21-0x0000000002CA0000-0x0000000002CA6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3716-22-0x000000000ACB0000-0x000000000B2C8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3716-23-0x000000000A820000-0x000000000A92A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3716-24-0x000000000A760000-0x000000000A772000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3716-25-0x000000000A7C0000-0x000000000A7FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3716-26-0x0000000004D00000-0x0000000004D4C000-memory.dmp
    Filesize

    304KB

    Download