Overview

overview

10

Static

static

3

06ca8c24aa...f2.exe

windows10-2004-x64

10

0a65c97791...d1.exe

windows10-2004-x64

10

131675744e...29.exe

windows10-2004-x64

10

204413b9cd...ef.exe

windows10-2004-x64

10

236732ce45...d5.exe

windows7-x64

3

236732ce45...d5.exe

windows10-2004-x64

10

23bc83a4a6...94.exe

windows10-2004-x64

10

3c35dfb6ea...cb.exe

windows10-2004-x64

10

42aaf3452f...91.exe

windows10-2004-x64

10

42d39578cc...dd.exe

windows10-2004-x64

10

4f4e29cb12...50.exe

windows10-2004-x64

10

566c1670c8...b3.exe

windows7-x64

3

566c1670c8...b3.exe

windows10-2004-x64

10

5b49e20d68...4b.exe

windows10-2004-x64

10

6a07da5bb1...d3.exe

windows10-2004-x64

10

6fca9c5ffc...25.exe

windows10-2004-x64

10

9a7761a218...43.exe

windows7-x64

3

9a7761a218...43.exe

windows10-2004-x64

10

9c63b1ba60...a6.exe

windows10-2004-x64

10

c4172a7d8d...fa.exe

windows7-x64

3

c4172a7d8d...fa.exe

windows10-2004-x64

10

c69d581e2c...e2.exe

windows10-2004-x64

10

d6c7041aa6...93.exe

windows7-x64

3

d6c7041aa6...93.exe

windows10-2004-x64

10

d9d3f90c8c...39.exe

windows7-x64

3

d9d3f90c8c...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1.exe

  • Size

    864KB

  • MD5

    c86ea9744ea3cca905b7657585568de6

  • SHA1

    ba018b2d08a84d2e411b27e314cb8a23a06865f8

  • SHA256

    0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1

  • SHA512

    720bb844157dddb335fd3660b32ee9bec30ae3853fe5b26d3194ea517481a9f6b265b977e5d8bbbc92316f7ed9d173380192d93ab3b4fe2521d26462798c05b8

  • SSDEEP

    12288:9MrBy90lDtGyHT69dmXPVxG0IYjxSkZiUnt6YdipFOj47Ec0yWLcp6pSa8YmZ41:kyQtGyHh9xV5QFpQj4T0HLc5NtO

Score
10/10
healerredlinekiradropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1.exe
    "C:\Users\Admin\AppData\Local\Temp\0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2246758.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2246758.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8233586.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8233586.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6911492.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6911492.exe
        3⤵
        • Executes dropped EXE
        PID:832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2246758.exe
    Filesize

    681KB

    MD5

    b9279e968f91da41144a000ef5b42321

    SHA1

    e5a9ec6cad2c292cc362faa3e0f0fc41c5d6ef09

    SHA256

    feec5c272e7bff5aded15e4b7ae393595d187d66a0e01dfe96725e6a7728d903

    SHA512

    3c1426808507a715a57506b5efbc23417f06692b184268f9ebe0ad6d3fa5ae6d77cb8d2ec36e94277e42c2d511d84d5b179801504eacb4f51b4c20788948216d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8233586.exe
    Filesize

    530KB

    MD5

    b486d0327ac3e8df771fc57d1c8f9eb4

    SHA1

    6927a5271caa1f8afbadb32349dcc7cbef0a9e78

    SHA256

    7880cdc9c1da87ac1af30b59f7ca066ed7df4e138dd1925e5324e84f2e643465

    SHA512

    0b47fdc861de16a959392e82bf8e0f9a45b9413a1aea7244a9de0bf37871f03f7483bb0cdc487b2c87fb7059c458ce868196268c48300157d148aaafcfc98351

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6911492.exe
    Filesize

    691KB

    MD5

    f2f15ebacc353c878213af99699b34dc

    SHA1

    716a391fd178103c1745c6513b79130db386e77f

    SHA256

    2f48dce96a3a36a28a789c89629fc818702a5ba0f3f29e3380a6ff81ddb9d96a

    SHA512

    51632819df0db968445475defdd17e0d5b2226ea7c102edaf17ced6c4f19fd3eaeb748e732a16876cd9ca0500bcadf7d2214be9ece4a903b1f8e2ad78138e9e8

    Download Submit
  • memory/832-31-0x0000000009FA0000-0x000000000A5B8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/832-26-0x0000000000440000-0x0000000000470000-memory.dmp
    Filesize

    192KB

    Download
  • memory/832-30-0x0000000002420000-0x0000000002426000-memory.dmp
    Filesize

    24KB

    Download
  • memory/832-32-0x000000000A640000-0x000000000A74A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/832-33-0x000000000A780000-0x000000000A792000-memory.dmp
    Filesize

    72KB

    Download
  • memory/832-34-0x000000000A7A0000-0x000000000A7DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/832-35-0x0000000002460000-0x00000000024AC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2596-19-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2596-18-0x0000000000401000-0x0000000000402000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2596-14-0x00000000004F0000-0x00000000004FA000-memory.dmp
    Filesize

    40KB

    Download