Overview

overview

10

Static

static

3

22dd95c07b...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22dd95c07bea90fada5a83b65f8fc90e5ebe8b37332e3895926cad58160aeb7c.exe

  • Size

    307KB

  • MD5

    8b19ea848d55ba867ec04670a326db4a

  • SHA1

    93f9e4233e44756d26d436532dccad9bdebdc083

  • SHA256

    22dd95c07bea90fada5a83b65f8fc90e5ebe8b37332e3895926cad58160aeb7c

  • SHA512

    538490707176b4e78b446e5b86b850b687141f844895f1673dbccdec97be94f72fcd66631a0b92d64a8de097a3aab80f1eda5bc56b1bf8cf0bbc700c8dcda7e7

  • SSDEEP

    6144:KIy+bnr+ep0yN90QEz5F5OYc1u31g4TByp/hMCp1QzQ9aut77D:UMriy90rxc1u31TTEp/jp1uQo8n

Score
10/10
healerredlinemufosdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mufos

C2

217.196.96.102:4132

Attributes
  • auth_value

    136f202e6569ad5815c34377858a255c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
  • Detects executables packed with ConfuserEx Mod 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22dd95c07bea90fada5a83b65f8fc90e5ebe8b37332e3895926cad58160aeb7c.exe
    "C:\Users\Admin\AppData\Local\Temp\22dd95c07bea90fada5a83b65f8fc90e5ebe8b37332e3895926cad58160aeb7c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5161310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5161310.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9279511.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9279511.exe
      2⤵
      • Executes dropped EXE
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5161310.exe
    Filesize

    181KB

    MD5

    a4baef56aa878790a27336ca8cba705d

    SHA1

    b0cab82469e3af3c4ed2f4cea36d97bb09db774b

    SHA256

    cbb1d46fb49b324e66076ee190aa3fe7d1732fbd9b824d5faf474e433f9dc040

    SHA512

    eaddcd812db2964cd1d65e10c3dc2a52da91f398a1404f3f2a3faadefa0631117971fe62da280db91a7fd09070f22cd4e1e38a6681e127e75832cfe0fe2dcc63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9279511.exe
    Filesize

    168KB

    MD5

    39dbecf46a34336df55214ca6396be0b

    SHA1

    c2c8b626ce04c64f02df3de1ae4bb909093e59a0

    SHA256

    05958ce32ec64fdd7a96755a34a8bfa42aa24d24b0d0f12a5d2c636458948bf4

    SHA512

    e8619ea0c6c22dd28f47c01c3c63f6dc31c9d8f6bb13eb9794089618695aca127d7ac6b1e412268c86b82c6d6366f1e2678eed9f148cd79a7d4a74371469470b

    Download Submit

  • memory/2820-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-10-0x0000000004B90000-0x0000000005134000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2820-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-12-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2820-13-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2820-8-0x00000000049F0000-0x0000000004A0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2820-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-17-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-11-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2820-9-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2820-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-15-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-14-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2820-43-0x0000000074430000-0x0000000074BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2820-7-0x000000007443E000-0x000000007443F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-47-0x0000000000880000-0x00000000008AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2920-49-0x00000000010E0000-0x00000000010E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2920-48-0x00000000743E0000-0x000000007448B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/2920-50-0x0000000005920000-0x0000000005F38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2920-51-0x0000000005450000-0x000000000555A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2920-52-0x00000000743E0000-0x000000007448B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/2920-53-0x0000000005360000-0x0000000005372000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2920-54-0x00000000053C0000-0x00000000053FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2920-55-0x0000000005400000-0x000000000544C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2920-56-0x00000000743E0000-0x000000007448B000-memory.dmp

    Filesize

    684KB

    Download