Overview

overview

10

Static

static

3

000643ece0...88.exe

windows10-2004-x64

10

0e413fa969...3c.exe

windows10-2004-x64

10

123830f5ad...0f.exe

windows10-2004-x64

10

189bf8b11d...e3.exe

windows10-2004-x64

10

30781e91d6...0c.exe

windows7-x64

3

30781e91d6...0c.exe

windows10-2004-x64

10

4312b77e60...ce.exe

windows10-2004-x64

10

55a2613b91...ce.exe

windows10-2004-x64

10

57e17d171c...0b.exe

windows10-2004-x64

10

604b676155...8c.exe

windows10-2004-x64

10

617783538b...1f.exe

windows10-2004-x64

10

729187837b...ea.exe

windows10-2004-x64

10

747238b5bd...97.exe

windows10-2004-x64

10

7ec0dcfd62...a1.exe

windows7-x64

3

7ec0dcfd62...a1.exe

windows10-2004-x64

10

8468f46bfb...d1.exe

windows10-2004-x64

10

8e6dae5587...22.exe

windows10-2004-x64

10

9966ddcefb...d8.exe

windows10-2004-x64

10

b7dd4fa2a0...d9.exe

windows7-x64

3

b7dd4fa2a0...d9.exe

windows10-2004-x64

10

dd86e508d3...d9.exe

windows10-2004-x64

7

e500bee084...71.exe

windows10-2004-x64

10

ff54e8ca62...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71.exe

  • Size

    1.5MB

  • MD5

    32d48c8cdbfd96746a7f1c55f20a4947

  • SHA1

    7c8dc77a635685a78606165716662958487c72a3

  • SHA256

    e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71

  • SHA512

    e5ac29b64ac187f5cffc8a4a96fe617b138f847076a3bcd35a4c68eab59f103a0fdba0fca685592270942c08c2e7785521fe416bce4057f748ffcce89159c19d

  • SSDEEP

    24576:7yPZKhpcvJxHm4U5sa6uyHWkAN+dX0xecCgTOffPGzedaNycCe0XM7fl1h6MlzY:uyGvJxG4Cc7J7gqffP/tcCtXmflnP

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71.exe
    "C:\Users\Admin\AppData\Local\Temp\e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3392
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3040
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:392
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7618530.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7618530.exe
          4⤵
          • Executes dropped EXE
          PID:3708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe
    Filesize

    1.3MB

    MD5

    5a006d527dde72f0bc51a3fdee4b1cdd

    SHA1

    cf0962f8ee0635e59e92221584a875e45a047480

    SHA256

    0c06bebf8e11d8d2467f90c5b26a5d24797cf65590877d5e30e804d07792187c

    SHA512

    89dc2c221b39c8b72e420e5f547b04a5e58a6102f6afe75acd7607897bb99fb9451d53bee131fa1cffa128defc07d58ef39b256a0779dbeec082ed90468fa40c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe
    Filesize

    1.2MB

    MD5

    2d2f98038a94c1b5a27dabb43516b481

    SHA1

    c38e7390d73496ee51ebcd6d2c998efde21d196b

    SHA256

    e7b28986d5e5ddba7a489d10bb1cd93e41add21f3e8e0b472f885b5d393d112f

    SHA512

    40da19e60229855024459fe45c2f0c645ed7bc208af82478948a5f2474d25f039e958ce8437cf10f66e17685c7976b1e2d64a5e8e2c5a8fec3150ae828ce8ca3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7618530.exe
    Filesize

    692KB

    MD5

    8c07c258604ef2c6253686dc2ebe6937

    SHA1

    b91099c9103265611e877f398dccfa6edaaefd25

    SHA256

    b59ecca695cc3aac7d02df5329cadec0168779df455dce2bb69711c06aae6389

    SHA512

    367d8bfb15eb92ffd750649e75abc2976d8ed3a82c050f053c3622daa57e9a70e312caab2bd63e464ca0878d75928cbaf39406d4d3a05d06e7ec057dd227f2a9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe
    Filesize

    621KB

    MD5

    9c8172d995e82f94df848aa37a96bb73

    SHA1

    2e5ccafda1f76202b5c90c8a52ea12042b0e1565

    SHA256

    85399056e1683ef7185f77951310e5f7eba10a2df94382523ad09c479950b3f0

    SHA512

    7bb100316a12017d934dc3cb1bbbbc3e5d0171775da4d8c2f79e14f265fc5f153c68f16aef5160b20626a0e6a0d0cb9bcc3f5591378ba2d9d9b24fb0a064eb6b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe
    Filesize

    530KB

    MD5

    231fa67dcb2a7c6190da502d02a7ae9f

    SHA1

    1d2ba9ec8de8d4a8dde062739313e126c7fd756a

    SHA256

    369898f70baee653a53774650f75ff74ed4c0ce7ec690de9511e3e7b6f1e43ae

    SHA512

    b3253446c2ce9af7123c67ac54ae3f7f4202ad8ea32885bac3e0b60089a05b1f2066e57a1216496f79de415d4ba8a606243d030fda741e44b41c24295bf9b00e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • memory/392-37-0x0000000000020000-0x000000000002A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3040-28-0x00000000004F0000-0x00000000004FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3708-42-0x0000000000510000-0x0000000000540000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3708-47-0x00000000006C0000-0x00000000006C6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3708-48-0x0000000009E50000-0x000000000A468000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3708-49-0x000000000A500000-0x000000000A60A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3708-50-0x000000000A640000-0x000000000A652000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3708-51-0x000000000A660000-0x000000000A69C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3708-52-0x0000000004380000-0x00000000043CC000-memory.dmp
    Filesize

    304KB

    Download