Overview

overview

10

Static

static

3

1668096fbf...95.exe

windows10-2004-x64

10

2159151861...2d.exe

windows10-2004-x64

10

22c5bd0a3e...19.exe

windows10-2004-x64

10

2a0ae333a9...1a.exe

windows7-x64

3

2a0ae333a9...1a.exe

windows10-2004-x64

10

4f86d48b3d...df.exe

windows10-2004-x64

10

53ecffef24...36.exe

windows10-2004-x64

10

75ccbf328f...af.exe

windows10-2004-x64

10

77ba6e9303...c2.exe

windows10-2004-x64

10

798aee8abb...5b.exe

windows10-2004-x64

10

79eaddd1dc...70.exe

windows10-2004-x64

10

80ada740eb...52.exe

windows10-2004-x64

10

9e3cf610e6...f0.exe

windows7-x64

10

9e3cf610e6...f0.exe

windows10-2004-x64

10

a5bd0160df...49.exe

windows10-2004-x64

10

aee53fccee...da.exe

windows10-2004-x64

10

af9c5ff480...30.exe

windows7-x64

3

af9c5ff480...30.exe

windows10-2004-x64

10

bfe644d3bd...29.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

dda511575f...2f.exe

windows10-2004-x64

10

ff541e0752...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe

  • Size

    1.0MB

  • MD5

    774a173c2d0a5266b73ba5527e606bbe

  • SHA1

    13173b00db1bff7e45c00be7327ae24bbb6e2ca6

  • SHA256

    80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452

  • SHA512

    076a9ad2a5d639f932936bc5d614fe0b2bdbfe162134eecbd706ef3ff979930e3efa7a2561935b445ee3f5e6e837c3e1fea8cd4b280d2f73f412106df05f8639

  • SSDEEP

    12288:dMrly90aVXB6zrLW/kRNgMwsBpdTgep1Ez7O92GtV4zCpGr1DUzAWXZnQ2P++3qG:kylXB6XOALgepYO4GcFrQXZnBP+uqSh

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
    "C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3132
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3488
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3956
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
          4⤵
          • Executes dropped EXE
          PID:1396
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
      Filesize

      905KB

      MD5

      38c200369a04519fac5b3dcf4ebff331

      SHA1

      ff91709a4270db05e8dc066f98b4183a934b3dfd

      SHA256

      9a0a6c0da259644cdffc971f307aa355c30e2f3b3b5432a1cc160833657d7cb9

      SHA512

      d4fa2fb01a1971560c29a4a8d3e31924477f17f43befd56cd872b011200937dcf55adf9da65a214fa2f358f5b398ef205303052b7474dde41a06ae48a0199eb7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
      Filesize

      722KB

      MD5

      e6bbcdaa2e24195d332b8d33f5c3c735

      SHA1

      18e3f00e89839e508ce56af566b8342c0694ca98

      SHA256

      9b0ce5a11bf7d6a365ddf391615dd64ff0bbb20d7233b2e47daf2969ad665c9d

      SHA512

      f2816aa283529403bf734ae4a54b95ac65bcdab49d63f8f7ba8c32f0cdc7f0e8f2db78c7ce991956cc3f4dfd03d3a2e53da5b71437f6465b8e4a5e206892a683

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
      Filesize

      490KB

      MD5

      5970af2c3b0603e1dd319e8842c90b23

      SHA1

      61ec8e4179e9e6a897dca4f2000f59f164095a8a

      SHA256

      8bfdcc0c67963381921087eb22dda3b54c37eaf799fdc0dbfc25ea0fd6b987c5

      SHA512

      20279989de39b520f929579aeebf9c2bc1ae90189922611b7fbfc7a682c0b788883350978ef8b616b6a7fac30196ffce35c6910318701e3edba20fb9b91190d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
      Filesize

      324KB

      MD5

      c311fe993ae5852b8d3884a385443b91

      SHA1

      cf3c1b692e6fb7953c200ab5aa9952dc8e898070

      SHA256

      06f50cc8c2530511d29e83c704132b3981d1bd93c70e5c01a79107894ba06ed0

      SHA512

      d62ba67a09721def6306f70e27dcedc236ee7fbcf4fecae2e461adcdc93a96e089129a278cde956edf29d9de2b00975144263fabe56e0a50e0ec91adf21c48c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
      Filesize

      292KB

      MD5

      849938a7566cc3392c8de12b3f58e43f

      SHA1

      45f699e0713aa0b80ed12d1ce1e1d46e77b03e98

      SHA256

      36d27a57c260e9e2cda09be256605aa4e0e95ede7c7764951e1d575f6192c706

      SHA512

      86192b5aa19d7b5c0902200f3b849d22749b07dc2ca174a5a5a4a37c0aeafd6088e51a0e7a8335dda498099e74345be08b8c7f63bd1e36c9e07d09867e907e48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • memory/1396-59-0x000000000A0B0000-0x000000000A0EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1396-58-0x000000000A090000-0x000000000A0A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1396-60-0x000000000A120000-0x000000000A16C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1396-46-0x0000000000730000-0x00000000007BC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1396-57-0x0000000009F80000-0x000000000A08A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1396-53-0x0000000000730000-0x00000000007BC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1396-55-0x00000000022C0000-0x00000000022C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1396-56-0x000000000A5A0000-0x000000000ABB8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3488-28-0x0000000000560000-0x000000000059E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3488-35-0x0000000002440000-0x0000000002441000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-34-0x0000000000560000-0x000000000059E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3956-41-0x0000000000210000-0x000000000021A000-memory.dmp

      Filesize

      40KB

      Download