Overview

overview

10

Static

static

3

0b4bb67302...ca.exe

windows10-2004-x64

9

10f472a1b5...37.exe

windows10-2004-x64

10

1208df4133...ab.exe

windows10-2004-x64

10

22c8884d0e...34.exe

windows10-2004-x64

10

277f52adcf...94.exe

windows10-2004-x64

10

3a484bb7d4...29.exe

windows10-2004-x64

10

3bdb06aad8...f3.exe

windows7-x64

10

3bdb06aad8...f3.exe

windows10-2004-x64

10

3d03f2fde9...00.exe

windows10-2004-x64

10

40fbde6d35...71.exe

windows10-2004-x64

10

53b6f1fa7f...02.exe

windows7-x64

10

53b6f1fa7f...02.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

66b71ef5ba...21.exe

windows10-2004-x64

10

7c73d83c0a...75.exe

windows10-2004-x64

10

bccb41d4cd...17.exe

windows10-2004-x64

10

c1c526ed2a...52.exe

windows10-2004-x64

10

c726b1e0ec...ab.exe

windows10-2004-x64

10

c8c3182273...54.exe

windows10-2004-x64

10

d1e8dbd667...dd.exe

windows10-2004-x64

10

d4fbce6f6a...86.exe

windows7-x64

3

d4fbce6f6a...86.exe

windows10-2004-x64

10

d7873c75af...a3.exe

windows10-2004-x64

10

e25842dbe6...9e.exe

windows10-2004-x64

10

fa1fbbcbd6...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421.exe

  • Size

    480KB

  • MD5

    c02ec5e8fc2fe204743dec04b2cbccd6

  • SHA1

    d717abef0062b1d3e57d98ccb9f85ccdc7b327bb

  • SHA256

    66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421

  • SHA512

    0e38a7a0c888c838c86e6fe0deb81670013eb115ead38c897234a092667b9b7ba5422929ac7a49d7d65abcd9980df20775561e56c78cc77c56d25c5a6db3b265

  • SSDEEP

    12288:ZMrhy900QM7wc96iwcErPP03xzz97vGNbVSgUu:EyBuLiwcG4zzZvGFEgUu

Score
10/10
healerredlinemihandropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421.exe
    "C:\Users\Admin\AppData\Local\Temp\66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4178244.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4178244.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1293502.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1293502.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2905463.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2905463.exe
        3⤵
        • Executes dropped EXE
        PID:4484
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4178244.exe
    Filesize

    309KB

    MD5

    31aa7ae095e88de2d272560f895ffecd

    SHA1

    c0632bc222408e5f3fa97086e029b6cbf8f2708f

    SHA256

    178d183809c40705b26fa5e457dbec1a2eda39271796793a738312b8787681ff

    SHA512

    cf3e4923087933989f5fcaad821478998d01f22040b39434dfdad8a32d6d5d0c8005bbefeffdbf7b24f67964569718d764e1985a66536fef479314fc2845cc8f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1293502.exe
    Filesize

    180KB

    MD5

    16247590e4f9d60c9e63766be809b6db

    SHA1

    ac57debf2b32e23ecd4b67176a779103cb61e83b

    SHA256

    3e5799c459da6b5be327b68e8f00ce3dbb4854feea37cee88ba84c71869545c0

    SHA512

    a206f3b43dbf1adac41a1f59cdb3356cb730a17b804628a40f6421fac2edf4f22933d01ccd73e2ba9f091353638c07260a04c152dc0ec192d5c5e6b297643881

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2905463.exe
    Filesize

    168KB

    MD5

    e3af0eef5a503b4464cc0aab7c6cc2ae

    SHA1

    33a7b86053d634a24ab5f82e3e518d7220bd2fcc

    SHA256

    b115e0f8278fc1e4c286bdb2fa1a16068bf95f0c604f17ef194d53e2efa84ab6

    SHA512

    b9d7a59b617eb666cb261d504acd1da49deb5a47f79fc97f1a3be42ca4721fae4b813f73a5fdb1aa7817a83dec7e8ec4a7fec297a8284cb49f108556cc0357e4

    Download Submit
  • memory/4484-60-0x0000000005AF0000-0x0000000005B3C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4484-59-0x0000000005970000-0x00000000059AC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4484-58-0x0000000005910000-0x0000000005922000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4484-57-0x00000000059E0000-0x0000000005AEA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4484-56-0x0000000005EC0000-0x00000000064D8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4484-55-0x0000000001660000-0x0000000001666000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4484-54-0x0000000000E50000-0x0000000000E80000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4588-38-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-26-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-46-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-44-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-42-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-40-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-36-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-34-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-32-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-30-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-28-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-48-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-22-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-21-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-50-0x00000000746F0000-0x0000000074EA0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4588-24-0x0000000004990000-0x00000000049A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4588-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4588-19-0x00000000746F0000-0x0000000074EA0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4588-18-0x0000000004990000-0x00000000049A8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4588-17-0x0000000004B50000-0x00000000050F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4588-16-0x00000000746F0000-0x0000000074EA0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4588-15-0x00000000023C0000-0x00000000023DA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4588-14-0x00000000746FE000-0x00000000746FF000-memory.dmp
    Filesize

    4KB

    Download