Overview

overview

10

Static

static

3

036028e386...a7.exe

windows10-2004-x64

10

0f5fae4716...8d.exe

windows7-x64

3

0f5fae4716...8d.exe

windows10-2004-x64

10

1998a377c7...11.exe

windows7-x64

3

1998a377c7...11.exe

windows10-2004-x64

10

2b559f1c51...29.exe

windows10-2004-x64

10

2d1e7e578c...8f.exe

windows7-x64

3

2d1e7e578c...8f.exe

windows10-2004-x64

10

52d5102aa9...ea.exe

windows7-x64

3

52d5102aa9...ea.exe

windows10-2004-x64

10

5365362210...13.exe

windows10-2004-x64

10

5460a1d2c8...37.exe

windows7-x64

10

5460a1d2c8...37.exe

windows10-2004-x64

10

5eba1ca0e7...01.exe

windows10-2004-x64

10

69b4a94473...6c.exe

windows10-2004-x64

10

7b7ce936fd...c9.exe

windows10-2004-x64

10

82e97b51ca...5f.exe

windows10-2004-x64

10

841ea03e18...82.exe

windows10-2004-x64

10

9b8496e95e...b6.exe

windows10-2004-x64

10

bd06bfc269...a3.exe

windows10-2004-x64

10

d77888ac75...7b.exe

windows10-2004-x64

10

eadc8b7eba...10.exe

windows7-x64

3

eadc8b7eba...10.exe

windows10-2004-x64

10

ef11bf7b35...d4.exe

windows10-2004-x64

10

f0d33c78b4...aa.exe

windows10-2004-x64

10

f5c518fe92...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe

  • Size

    479KB

  • MD5

    3ab2ff06d401aa79ecc0a828734aa965

  • SHA1

    79f8c82403a2c4eba7333bbe8a8cea43043c1443

  • SHA256

    f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b

  • SHA512

    b7d56a909168f4841e017122351439b13b932d8e79631294e3798df47e01619739248b238f2c89aab67da67f885013705ffe71881aac02fb23b157b1d0f4ad21

  • SSDEEP

    6144:Kay+bnr+Hkp0yN90QESbWCWKAw5UH4MDtIA/EzylcSAGRArr8wtc5VrgGL8F9KaE:iMrwy90Yf3UYeZMzylcyqFtucF30

Score
10/10
healerredlinedumuddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe
    "C:\Users\Admin\AppData\Local\Temp\f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4258701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4258701.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1520744.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1520744.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4036908.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4036908.exe
        3⤵
        • Executes dropped EXE
        PID:3320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4258701.exe
    Filesize

    307KB

    MD5

    367ff3cd17fe97143cd8cb5f9e323046

    SHA1

    0a213bcb8d4e658992d1e083b0b206ac3650ba69

    SHA256

    ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50

    SHA512

    9c2fd4077ecd277d91e83160a5c2a0a3bcc2c8774dda670dad8566a789fef7be158a87397cf2fa7360fda1916fac8331b61c55add4d4018ae2dfacbba6a32894

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1520744.exe
    Filesize

    180KB

    MD5

    7ae5c9c884c8a206085a31b28559a56e

    SHA1

    62ee3946087638f78cb879cec7873e931c3ea386

    SHA256

    d78fc25515b72db855c730b5e4a5bd2db040c857f8921ddead622d646bd6c98e

    SHA512

    54270113c6f8671b4ccd236e096f673dd8d0ca10f61bb90b798288c1340812893bb6db49db40d9e204f864c60091446603f1e1e2e6e4eb5233615cee8c0847e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4036908.exe
    Filesize

    168KB

    MD5

    faa7957999bc9ed6a221c8c19b9d09f0

    SHA1

    eef2368343aa03127958ec5a7cc507e469b5a028

    SHA256

    9bf4ace7974b14c0c0d4b9913f95ebcd3a4512c54dd4a04281af685ba1bdd895

    SHA512

    d9e747f865ecd24b5f95369cc5cc824a14cfbd827615331639c0d99ae512a2e18479c10e17f1368f4f96da741f4129e6bfd426f82f44346edd384d2bca5789c8

    Download Submit
  • memory/2216-33-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-18-0x0000000004980000-0x0000000004998000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2216-29-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-17-0x0000000074440000-0x0000000074BF0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2216-19-0x0000000074440000-0x0000000074BF0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2216-47-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-48-0x0000000074440000-0x0000000074BF0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2216-45-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-43-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-42-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-39-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-37-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-35-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-15-0x0000000002460000-0x000000000247A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2216-31-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-16-0x00000000049E0000-0x0000000004F84000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2216-27-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-25-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-23-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-21-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-20-0x0000000004980000-0x0000000004992000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2216-50-0x0000000074440000-0x0000000074BF0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2216-14-0x000000007444E000-0x000000007444F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3320-54-0x00000000004D0000-0x0000000000500000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3320-55-0x00000000026B0000-0x00000000026B6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3320-56-0x000000000A800000-0x000000000AE18000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3320-57-0x000000000A340000-0x000000000A44A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3320-58-0x000000000A270000-0x000000000A282000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3320-59-0x000000000A2D0000-0x000000000A30C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3320-60-0x00000000048A0000-0x00000000048EC000-memory.dmp
    Filesize

    304KB

    Download