Overview

overview

10

Static

static

3

35bc4e4381...95.exe

windows7-x64

3

35bc4e4381...95.exe

windows10-2004-x64

10

3b67ac2053...51.exe

windows7-x64

10

3b67ac2053...51.exe

windows10-2004-x64

10

3b6c762231...ff.exe

windows10-2004-x64

10

434b1a9bd9...61.exe

windows7-x64

3

434b1a9bd9...61.exe

windows10-2004-x64

10

4869031eb8...36.exe

windows10-2004-x64

10

48bc2a90c7...f6.exe

windows10-2004-x64

10

4cb31f2944...3a.exe

windows7-x64

3

4cb31f2944...3a.exe

windows10-2004-x64

10

5951daaf24...9a.exe

windows10-2004-x64

10

60fc18182e...b7.exe

windows7-x64

3

60fc18182e...b7.exe

windows10-2004-x64

10

6830bfe3ca...86.exe

windows10-2004-x64

7

6bc897b262...6c.exe

windows10-2004-x64

10

6e5f213eb7...e3.exe

windows7-x64

3

6e5f213eb7...e3.exe

windows10-2004-x64

10

74375fb2d7...83.exe

windows7-x64

3

74375fb2d7...83.exe

windows10-2004-x64

10

91da85daf6...d8.exe

windows10-2004-x64

10

ac1a519838...39.exe

windows10-2004-x64

10

b8d6d40ceb...dc.exe

windows10-2004-x64

10

ca6e8bd0b3...3b.exe

windows7-x64

3

ca6e8bd0b3...3b.exe

windows10-2004-x64

10

fa3e143197...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8.exe

  • Size

    1.5MB

  • MD5

    68b9d46cb4498e49e084e54ec73e659c

  • SHA1

    51c333490de2a8150ef39ce4a6fd51bcc439146e

  • SHA256

    91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8

  • SHA512

    1a03f93cce2cbff326ee34f85c896c3b022a9784edc1e0d0f9164325d6e881b687fa5295372394a0379e805f3d4a9cf64b3b2ca076e8e91ab0a0645398f4c1b8

  • SSDEEP

    49152:vRJSITORDkr6F1JXxAiTVG9DWwOESEhU:p4lRDk+F1JB1+OEPh

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8.exe
    "C:\Users\Admin\AppData\Local\Temp\91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5916649.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5916649.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7756712.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7756712.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4484
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7041328.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7041328.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1509017.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1509017.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1372
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7916186.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7916186.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3128
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0562518.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0562518.exe
          4⤵
          • Executes dropped EXE
          PID:2792
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5916649.exe
    Filesize

    1.3MB

    MD5

    5f836cd0a466d1f6fb54b97ed10ea2a4

    SHA1

    26eff1fd46eaa5fcdcc9db884985a1013e920110

    SHA256

    4a4f34e629883170d53e83df516199725844fdbf54b5c811177fe3ee151f937a

    SHA512

    cc324decbb12b13d8dd8bcfea8fcc0a22394dabb165c8bbc1cf39f96251447930485cb91fb53dfa73c727c19c9d0f039084e714aa6ce77dd9aa48f299fa9bbb1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7756712.exe
    Filesize

    1.2MB

    MD5

    2aa217a812a6da6e11f73ac16822cd46

    SHA1

    adeea70f00457facc3a8d52d318a31d771e71ac8

    SHA256

    3549275cb4ab3c22514aed87b8c97080fa7399c768dd6f6b7d19d38ecd9e72c1

    SHA512

    5f1d4a2ff481bce9c8f1e5bb798986b41b9e520366b67898c9312e251f309db4cc57bffcdd892ba7cf75adb9d20dcc1fbf29aae0b012fad7313fe7d535141b1c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0562518.exe
    Filesize

    692KB

    MD5

    6554d5224f40cf9745376ba5af3a810c

    SHA1

    80b906c2048bb49e93bb582aa7a7909945f19b32

    SHA256

    c25f4bc7e836afc38a45334535515ac5b3a508ac89076b14e0f67272b1003671

    SHA512

    fa19adc7eef7b7962e9ee81fdcf1815f529b7ff382ce1b2f11fd802365a6b1e96363d9ce4dcac655a92d651012facdf3cac519d07272a83d3fcb063de94a8591

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7041328.exe
    Filesize

    620KB

    MD5

    4fa0fa3d59e0372ce84878f75c9690ab

    SHA1

    f82a1f60c7fa03ad68bf5c05d7296040dbf15d18

    SHA256

    9ff5a3cf07c839f702c49c1df67f1844c5a9aca3857c995c47b1157424e7e853

    SHA512

    4b5635b76e58b032e910101e4b2f1c97b3d818529616ef14507bb5447bb0984c447da72607069f6c5557d05027025a9e7ea129f7a6fa4ce4c8bb89082abe79bc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1509017.exe
    Filesize

    530KB

    MD5

    392febb1bcb51ffd4a9019f2aa7fba82

    SHA1

    e9ad51d6043f0ccc93829e084f3e9440d6317a38

    SHA256

    b1f4801cf9033987a2e212ce20fa18963f4778e116d7f3ca0612991aa7f7e3b1

    SHA512

    604f67d12926fd55413908b4c0524321001c29ee7bd700bef49e2dbb78ffcc072621fb57310b256a9cd83df9d4133c2313c35fd8fa6344b71bc781b51e9b454d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7916186.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • memory/1372-28-0x0000000000420000-0x000000000042A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2792-42-0x0000000000510000-0x0000000000540000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2792-47-0x00000000021E0000-0x00000000021E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2792-48-0x0000000004C30000-0x0000000005248000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2792-49-0x0000000005250000-0x000000000535A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2792-50-0x0000000005360000-0x0000000005372000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2792-51-0x0000000005380000-0x00000000053BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2792-52-0x0000000005420000-0x000000000546C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3128-37-0x0000000000A10000-0x0000000000A1A000-memory.dmp
    Filesize

    40KB

    Download