Overview

overview

10

Static

static

3

1668096fbf...95.exe

windows10-2004-x64

10

2159151861...2d.exe

windows10-2004-x64

10

22c5bd0a3e...19.exe

windows10-2004-x64

10

2a0ae333a9...1a.exe

windows7-x64

3

2a0ae333a9...1a.exe

windows10-2004-x64

10

4f86d48b3d...df.exe

windows10-2004-x64

10

53ecffef24...36.exe

windows10-2004-x64

10

75ccbf328f...af.exe

windows10-2004-x64

10

77ba6e9303...c2.exe

windows10-2004-x64

10

798aee8abb...5b.exe

windows10-2004-x64

10

79eaddd1dc...70.exe

windows10-2004-x64

10

80ada740eb...52.exe

windows10-2004-x64

10

9e3cf610e6...f0.exe

windows7-x64

10

9e3cf610e6...f0.exe

windows10-2004-x64

10

a5bd0160df...49.exe

windows10-2004-x64

10

aee53fccee...da.exe

windows10-2004-x64

10

af9c5ff480...30.exe

windows7-x64

3

af9c5ff480...30.exe

windows10-2004-x64

10

bfe644d3bd...29.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

dda511575f...2f.exe

windows10-2004-x64

10

ff541e0752...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe

  • Size

    1.0MB

  • MD5

    774a173c2d0a5266b73ba5527e606bbe

  • SHA1

    13173b00db1bff7e45c00be7327ae24bbb6e2ca6

  • SHA256

    80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452

  • SHA512

    076a9ad2a5d639f932936bc5d614fe0b2bdbfe162134eecbd706ef3ff979930e3efa7a2561935b445ee3f5e6e837c3e1fea8cd4b280d2f73f412106df05f8639

  • SSDEEP

    12288:dMrly90aVXB6zrLW/kRNgMwsBpdTgep1Ez7O92GtV4zCpGr1DUzAWXZnQ2P++3qG:kylXB6XOALgepYO4GcFrQXZnBP+uqSh

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
    "C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4612
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
          4⤵
          • Executes dropped EXE
          PID:868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
    Filesize

    905KB

    MD5

    38c200369a04519fac5b3dcf4ebff331

    SHA1

    ff91709a4270db05e8dc066f98b4183a934b3dfd

    SHA256

    9a0a6c0da259644cdffc971f307aa355c30e2f3b3b5432a1cc160833657d7cb9

    SHA512

    d4fa2fb01a1971560c29a4a8d3e31924477f17f43befd56cd872b011200937dcf55adf9da65a214fa2f358f5b398ef205303052b7474dde41a06ae48a0199eb7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
    Filesize

    722KB

    MD5

    e6bbcdaa2e24195d332b8d33f5c3c735

    SHA1

    18e3f00e89839e508ce56af566b8342c0694ca98

    SHA256

    9b0ce5a11bf7d6a365ddf391615dd64ff0bbb20d7233b2e47daf2969ad665c9d

    SHA512

    f2816aa283529403bf734ae4a54b95ac65bcdab49d63f8f7ba8c32f0cdc7f0e8f2db78c7ce991956cc3f4dfd03d3a2e53da5b71437f6465b8e4a5e206892a683

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
    Filesize

    490KB

    MD5

    5970af2c3b0603e1dd319e8842c90b23

    SHA1

    61ec8e4179e9e6a897dca4f2000f59f164095a8a

    SHA256

    8bfdcc0c67963381921087eb22dda3b54c37eaf799fdc0dbfc25ea0fd6b987c5

    SHA512

    20279989de39b520f929579aeebf9c2bc1ae90189922611b7fbfc7a682c0b788883350978ef8b616b6a7fac30196ffce35c6910318701e3edba20fb9b91190d7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
    Filesize

    324KB

    MD5

    c311fe993ae5852b8d3884a385443b91

    SHA1

    cf3c1b692e6fb7953c200ab5aa9952dc8e898070

    SHA256

    06f50cc8c2530511d29e83c704132b3981d1bd93c70e5c01a79107894ba06ed0

    SHA512

    d62ba67a09721def6306f70e27dcedc236ee7fbcf4fecae2e461adcdc93a96e089129a278cde956edf29d9de2b00975144263fabe56e0a50e0ec91adf21c48c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
    Filesize

    292KB

    MD5

    849938a7566cc3392c8de12b3f58e43f

    SHA1

    45f699e0713aa0b80ed12d1ce1e1d46e77b03e98

    SHA256

    36d27a57c260e9e2cda09be256605aa4e0e95ede7c7764951e1d575f6192c706

    SHA512

    86192b5aa19d7b5c0902200f3b849d22749b07dc2ca174a5a5a4a37c0aeafd6088e51a0e7a8335dda498099e74345be08b8c7f63bd1e36c9e07d09867e907e48

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • memory/868-58-0x00000000081D0000-0x00000000081E2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/868-59-0x00000000081F0000-0x000000000822C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/868-60-0x0000000008260000-0x00000000082AC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/868-47-0x00000000005F0000-0x000000000067C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/868-57-0x00000000080A0000-0x00000000081AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/868-53-0x00000000005F0000-0x000000000067C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/868-55-0x00000000043D0000-0x00000000043D6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/868-56-0x0000000008680000-0x0000000008C98000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2376-41-0x00000000009D0000-0x00000000009DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4612-35-0x0000000002330000-0x0000000002331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4612-34-0x0000000000590000-0x00000000005CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4612-28-0x0000000000590000-0x00000000005CE000-memory.dmp
    Filesize

    248KB

    Download