Overview

overview

10

Static

static

3

006388190d...bb.exe

windows10-2004-x64

10

0254882920...b5.exe

windows10-2004-x64

10

059acceaf9...4e.exe

windows10-2004-x64

10

23e52eabfc...16.exe

windows10-2004-x64

10

346c48a087...17.exe

windows10-2004-x64

10

3a559db9fb...76.exe

windows10-2004-x64

10

3bd30de35b...fb.exe

windows10-2004-x64

10

4563b46d64...3c.exe

windows10-2004-x64

10

45ab0e1069...0f.exe

windows10-2004-x64

10

545f251975...f8.exe

windows10-2004-x64

10

5bd9b291d7...ab.exe

windows10-2004-x64

10

5e70f35516...00.exe

windows10-2004-x64

10

7348ee4e4e...6d.exe

windows10-2004-x64

10

8b460dc8cc...29.exe

windows10-2004-x64

10

928c96df1b...ca.exe

windows10-2004-x64

10

972fcfe587...1d.exe

windows10-2004-x64

10

a025c0e619...2e.exe

windows10-2004-x64

10

bc0667bb8d...75.exe

windows10-2004-x64

10

cf82c35e0a...89.exe

windows10-2004-x64

10

fbe2b19c30...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab.exe

  • Size

    1.4MB

  • MD5

    8d90361e8bf7f26eec4a063c82eaa6cd

  • SHA1

    a44abc8788bfaaac8ee0e8a6b70458471a8e5648

  • SHA256

    5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab

  • SHA512

    3d9406f3be98992338f264f08c27f396062cfd5376717da4e9d9efbfc1481f6d7c699ac9dbcd4ba792550ce5aad4b4c176520ccc43e485d3dc2b93e58a6a25ff

  • SSDEEP

    24576:tyrFNdHyoabka1N0oVq38WevoGuLiWnbC5z+jUFp9WHk3/fpcBx5Qf:I5Ko30tQsToGuLiASzEwWHrBxO

Score
10/10
healerredlinemazdadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab.exe
    "C:\Users\Admin\AppData\Local\Temp\5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2651320.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2651320.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6031072.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6031072.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9779676.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9779676.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1272
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0364664.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0364664.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9918398.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9918398.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:920
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 984
                7⤵
                • Program crash
                PID:2468
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3381039.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3381039.exe
              6⤵
              • Executes dropped EXE
              PID:1944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 920 -ip 920
    1⤵
      PID:3480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2651320.exe
      Filesize

      1.3MB

      MD5

      1b585d289ddffffe1f8ae853d8c3ea91

      SHA1

      34b2bdba1efdb64f4d4e3ecb1d5df6ea5cce2f96

      SHA256

      3996025360ac7f775f7df2bcd96af6e526e3cfbd8804446fe5bdcbdaf59923b7

      SHA512

      22a12dd4939f14a7e97149de1612fea1b1b9b2d995a09861c3927072b867687beb6374b3d4af6f3e84d544d00648f977e0130924eb97224674a592999f339915

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6031072.exe
      Filesize

      846KB

      MD5

      0825e601bad32acf49f85674f1f6bbaf

      SHA1

      c449440ce33948b8c9a8be3cfb848f8c22acdd13

      SHA256

      d3bcd1710979a32b3bccfcd32f77c2acc8775189e5754a34cf23c6e062cc84aa

      SHA512

      ff72ad23b0a2904951ee5a824b6de3fb6067063d5bd1353190d4e5665fd27db004cc77a5f44528338b4ca4c2cc7a43895d0df34d689001d49044a6d28000bf77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9779676.exe
      Filesize

      642KB

      MD5

      03a628bce13a7a6f73b78cb27748c83e

      SHA1

      3d36b5043c005536607692cc3af271a95dc354f2

      SHA256

      8e29739d0db64de82f2c1386f8ba689ab31a3b0c457102386884ac03967741c3

      SHA512

      26264798a9a32453c10acdc1f4941bcc795a18142ba8a71566c4bd7d3707dd6d403be2e8ac7b8f9f3ea372847ad3844b84bbf20b8a14f88968bd92d6bd51e344

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0364664.exe
      Filesize

      383KB

      MD5

      5e44b8246a4fad15f34dde2e49e58067

      SHA1

      cb676ca9b22843e81b188c531c985a2a4a3730c1

      SHA256

      5841ec3b7d542eae2cf9ebf62e07d85243629f4959fc02afc2c581d0c1bb2e2b

      SHA512

      24f6c376d9f8342c70be1a401ebfae3fb8cf05704a319a281e9c148c40212401607557a010d2af9d60fa3cc7fae5d66983b7105427eb7d1b3399765de7374f94

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9918398.exe
      Filesize

      289KB

      MD5

      9b325e403e6bcc2cbfce9467cc02f65f

      SHA1

      15323f0948fefc9615d96b9572181e3d487844cd

      SHA256

      373bb84575db64553a977912644db7c299a5b5bb9de07195636a2a07ec7c1b78

      SHA512

      15f5fe3d6507478eb3ec3ac6090a46e012cfa02730f3db536fc63a7bc86806287fd4fd084257676f1abe2f42dfe0b51082f0576950b6f702bb739a9f6889aba9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3381039.exe
      Filesize

      168KB

      MD5

      c859bfe277b92508fcbcef858adb5820

      SHA1

      af00eb31954ed4ba20dbbd5a02505a05bf09e511

      SHA256

      9547f193ab5b5ddc6080be3df500f5b89bfac957dcb4a799ef14719980cc2024

      SHA512

      a4e9d05be95715981633423c7255e4ef7795a2d624242881917a5e85c3e25e2981fd13b1cb6f61d39acd4e885ce268f8e0efead8c03406b7c266e2e7f7ff5f19

      Download Submit

    • memory/920-44-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-42-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-37-0x0000000004AE0000-0x0000000005084000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/920-64-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-62-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-60-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-58-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-56-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-55-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-66-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-52-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-48-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-46-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-38-0x0000000004A10000-0x0000000004A28000-memory.dmp

      Filesize

      96KB

      Download

    • memory/920-40-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-39-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-50-0x0000000004A10000-0x0000000004A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/920-68-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/920-36-0x00000000023F0000-0x000000000240A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1944-73-0x0000000000860000-0x0000000000890000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1944-74-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1944-75-0x00000000058B0000-0x0000000005EC8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1944-76-0x00000000053A0000-0x00000000054AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1944-77-0x00000000051D0000-0x00000000051E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1944-78-0x0000000005230000-0x000000000526C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1944-79-0x0000000005290000-0x00000000052DC000-memory.dmp

      Filesize

      304KB

      Download