Overview

overview

10

Static

static

3

00dc3a43dd...78.exe

windows10-2004-x64

10

061669c83b...c0.exe

windows10-2004-x64

10

0cc30df7f6...35.exe

windows10-2004-x64

10

1b26ae68f4...45.exe

windows10-2004-x64

10

3b9256f691...90.exe

windows7-x64

3

3b9256f691...90.exe

windows10-2004-x64

10

3ddd80ba69...8c.exe

windows7-x64

3

3ddd80ba69...8c.exe

windows10-2004-x64

10

3ff55c48fd...c7.exe

windows10-2004-x64

10

50be51fdd5...4b.exe

windows10-2004-x64

10

565e580e21...f4.exe

windows7-x64

1

565e580e21...f4.exe

windows10-2004-x64

1

5f157bb7f5...80.exe

windows10-2004-x64

10

6c066f3c43...19.exe

windows10-2004-x64

10

8355a17b5f...ac.exe

windows10-2004-x64

10

9a3f5d3f84...b2.exe

windows10-2004-x64

10

ae66f2f071...07.exe

windows10-2004-x64

10

b0fef95ff5...7c.exe

windows10-2004-x64

10

b11b1b57a3...06.exe

windows10-2004-x64

10

cd9de412cd...04.exe

windows7-x64

10

cd9de412cd...04.exe

windows10-2004-x64

10

db84115968...f3.exe

windows10-2004-x64

10

dce60a71ca...cc.exe

windows10-2004-x64

f5bf417643...17.exe

windows7-x64

3

f5bf417643...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe

  • Size

    1.5MB

  • MD5

    b6bd0fe9e2f14162d22a601e59a1740b

  • SHA1

    5a60ae626817e3638caca0fc80ad9a8200357e52

  • SHA256

    6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119

  • SHA512

    af2f072c83766dc801720af1f3a94dca12035b46b3a038a4df7afecfb85021020f25b2f4827bcba7d6109176631730e0527772b37946564a40d6dc9ea92ae8d0

  • SSDEEP

    24576:GygAJsoOr2n6P8VRrbjJJ+XODPh25hMojCFMQsEtJoFs/dboavD3ZCzY2:VgABQ+6kpcoh2MntHdbJvD3ZCz

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe
    "C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3904
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4668
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4428
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
          4⤵
          • Executes dropped EXE
          PID:556
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4736

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
      Filesize

      1.4MB

      MD5

      6dcf605b283d99f56267f2b456b144b0

      SHA1

      07c2968c300b767ea952dfa70766de0f5e0a01e4

      SHA256

      338a566494a7bec1e3b1a3402a6411cdce4f6b9a43f91cf635b6e623e841b0b2

      SHA512

      19db68dbdb0a91825cecd2cc95dff3c4b6ea4e7bda9bd5133a8659889278e2050e52a19c7b2e3c92f3141ed5c0f01218b274b84b34750fb8f184dd1018d7f6ff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
      Filesize

      1.2MB

      MD5

      4b8bec8c7d90c10a6c3a4206cd0daacd

      SHA1

      3ee5c267c9f1941a77df3fe9f7496ee317c9b946

      SHA256

      5bbd2b8698ae1d319de29643dedf3409bb9dd36465d0819a5ee0f8d2bc699dc3

      SHA512

      21541e4b32b87567499a5630950c46d3cdb93daa1cd56bfff2fb510b3df2d1483973a183a4a7cdbd5f966f5af043999eb70b5fc41d47e6af2e743884062ffe74

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
      Filesize

      692KB

      MD5

      e6cd29bf585e04ccee606ec312366e6e

      SHA1

      6ce37e0bce59a8902615918436a0e9f8771aedab

      SHA256

      0c52bae0af3af62e8abfeb1f39bef2518d59a00d62e3b0f8a3617f1b934192bf

      SHA512

      02258ada9982d2553c99abd3d8ecf5322aadfaceaa09373bd77029a43f743a55992206cc9d16394a112ef989a24bd96ba50cbaa0ec9557f207f8d42207c60100

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
      Filesize

      620KB

      MD5

      b16e4a16f725f2433e720ce4e53b11c3

      SHA1

      d0ce61897edd0987c07973f8528843657059e1c7

      SHA256

      5cd250f298fde835d29a5626f9f04885e6ab5d2038524b54c17418a7803aa4ed

      SHA512

      805c1a61ca8023438f695bf72c69cf6e7eca12f0378ad7cf429607481da678c53eaea9bf0849505e493e83fbcab61abc240320f9d10d0633eb9c046a63e0fc03

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
      Filesize

      530KB

      MD5

      168857576903636965cac80e95ea7283

      SHA1

      96d8cac6e77c26e6eb0f998486ab5fa944dcefd6

      SHA256

      929f8a773b6bd8b411cc67be1d2d091486dc07b342b953778f3bb11296e04013

      SHA512

      61af83f8484c30e950c940eba5cb112f3981ad408c8133d50a321e1239b16ebb0e031b8d683437386baf925734a103a76b904cdf1a8bff0090a144199df07ab4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • memory/556-49-0x000000000A500000-0x000000000A60A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/556-42-0x0000000000450000-0x0000000000480000-memory.dmp
      Filesize

      192KB

      Download
    • memory/556-47-0x00000000020D0000-0x00000000020D6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/556-48-0x0000000009EA0000-0x000000000A4B8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/556-50-0x000000000A640000-0x000000000A652000-memory.dmp
      Filesize

      72KB

      Download
    • memory/556-51-0x000000000A660000-0x000000000A69C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/556-52-0x000000000A700000-0x000000000A74C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4428-37-0x0000000000CE0000-0x0000000000CEA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4668-28-0x0000000000510000-0x000000000051A000-memory.dmp
      Filesize

      40KB

      Download