Overview

overview

10

Static

static

3

062bf5eda9...2b.exe

windows10-2004-x64

10

16b83c8926...86.exe

windows10-2004-x64

10

1d059ca891...d4.exe

windows10-2004-x64

10

51d640efcf...44.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

764d92d88b...5f.exe

windows10-2004-x64

10

853890cb43...68.exe

windows10-2004-x64

10

94cb7f4064...ae.exe

windows10-2004-x64

10

b37eb33077...f6.exe

windows10-2004-x64

10

b813f799e9...17.exe

windows10-2004-x64

10

c1a9af1ad6...d5.exe

windows10-2004-x64

10

cc6d978c1f...21.exe

windows10-2004-x64

10

cfdc6cd562...d3.exe

windows10-2004-x64

10

e81854abc9...1a.exe

windows10-2004-x64

10

eaef827c83...65.exe

windows7-x64

3

eaef827c83...65.exe

windows10-2004-x64

10

ed835b70d5...6c.exe

windows10-2004-x64

10

f48c36cb91...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe

  • Size

    389KB

  • MD5

    1e6d0394a9335f03d83a7f498df12ec8

  • SHA1

    aa25774159336873d0799b11546d7cec88ebca87

  • SHA256

    16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86

  • SHA512

    4bb7c4a3706e4056f6cc38e46dafab8e6bd463a148d5bc46197f7957f750d51c6d98903eeebe5b560283d1e15536bebad88c364e3776d5b804d99f36b8a17393

  • SSDEEP

    6144:Kqy+bnr+gp0yN90QE+rBmAS9kW2PZNK9zG1evw+IsQnjCgK83sE6ZnRC7D4I/FWB:uMrIy90wsAS/kBQk6o7D4I6d

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe
    "C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3308
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
        3⤵
        • Executes dropped EXE
        PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
    Filesize

    206KB

    MD5

    f389811e3e6c0afdba444f02db669093

    SHA1

    2f67d8c13e1477415f6ef5408a2940c7739b21dc

    SHA256

    48da474cb540b3f33c0b78853f06ed9249618db3e5c4670d45b18a1a6180e0f2

    SHA512

    49c9acb85f437e75a43cb215e96fe13dc56f05595b27c57ecdb73516a5e53cfb21cb6a0faf38e32af69f72d1a4a358f08ad4e819e8944bf77ae9f46050e7787a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
    Filesize

    13KB

    MD5

    d3ed7b336677ab4edb046bcaadbf972f

    SHA1

    d8a6e54a5a4431f985a3157b93aaae0e04bb1325

    SHA256

    1109e4e67a017af633fad9733479bf067a924c950974c946c381958801a6d5bc

    SHA512

    6e2a47a5729043b9708f5a781159853b5b0f4c0a228309a7c427c5f4afcdff4f82f1f56e1f0a1defbcf15f5eb1ae4c8db22f84295c5ed3c8dbe3c82d8331cfc2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
    Filesize

    175KB

    MD5

    e4232b49c9b6f09e99407fd03ad1a93d

    SHA1

    c6ed2f7d1587e1970b0f566ad5e5ade07404d9ae

    SHA256

    462107d8de1bad294f86e326dea00e9a1f04b9045f2370e57fe4948ed3688802

    SHA512

    ec8c6cfbe8d15468a5797eb15263d69cd129aae064b44350b0f641906dd745011df5f56831badaa725fc77f37882b5144452f9f811d1fa00594984bbff6f75f6

    Download Submit
  • memory/1464-20-0x0000000000790000-0x00000000007C0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1464-21-0x00000000050F0000-0x00000000050F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1464-22-0x000000000AC20000-0x000000000B238000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1464-23-0x000000000A740000-0x000000000A84A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1464-24-0x000000000A680000-0x000000000A692000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1464-25-0x000000000A6E0000-0x000000000A71C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1464-26-0x0000000002A60000-0x0000000002AAC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3308-14-0x0000000000920000-0x000000000092A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3308-15-0x00007FFD7D153000-0x00007FFD7D155000-memory.dmp
    Filesize

    8KB

    Download