Overview

overview

10

Static

static

3

006388190d...bb.exe

windows10-2004-x64

10

0254882920...b5.exe

windows10-2004-x64

10

059acceaf9...4e.exe

windows10-2004-x64

10

23e52eabfc...16.exe

windows10-2004-x64

10

346c48a087...17.exe

windows10-2004-x64

10

3a559db9fb...76.exe

windows10-2004-x64

10

3bd30de35b...fb.exe

windows10-2004-x64

10

4563b46d64...3c.exe

windows10-2004-x64

10

45ab0e1069...0f.exe

windows10-2004-x64

10

545f251975...f8.exe

windows10-2004-x64

10

5bd9b291d7...ab.exe

windows10-2004-x64

10

5e70f35516...00.exe

windows10-2004-x64

10

7348ee4e4e...6d.exe

windows10-2004-x64

10

8b460dc8cc...29.exe

windows10-2004-x64

10

928c96df1b...ca.exe

windows10-2004-x64

10

972fcfe587...1d.exe

windows10-2004-x64

10

a025c0e619...2e.exe

windows10-2004-x64

10

bc0667bb8d...75.exe

windows10-2004-x64

10

cf82c35e0a...89.exe

windows10-2004-x64

10

fbe2b19c30...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f.exe

  • Size

    662KB

  • MD5

    dcac23d0bc279a89e89714367315a23b

  • SHA1

    4b95e86bc8c126b3d438ad8d7fdb28b6f9baa127

  • SHA256

    45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f

  • SHA512

    c5adfd13d4cae9e01a35a719bac66e505e7c70352ef9678a3be4ea039b71c9732da3bdcda3aa67f5440443c53da41452e7b1be456cf22a8435f6a2cde38a5265

  • SSDEEP

    12288:KMr6y903bBP+0CGbGWeRtUx3QotEXYoQw15uCkOKsX+Km9yAGG2Pg2wYlUKUlF:MyQBPcizqtCeHd1ACktKmk7nA

Score
10/10
healerredlinemrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f.exe
    "C:\Users\Admin\AppData\Local\Temp\45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3232565.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3232565.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3961800.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3961800.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1242823.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1242823.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3336
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:2636
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3688
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 596
              5⤵
              • Program crash
              PID:1088
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9227346.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9227346.exe
            4⤵
            • Executes dropped EXE
            PID:1220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3336 -ip 3336
      1⤵
        PID:1476

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3232565.exe
        Filesize

        439KB

        MD5

        2cbc7c37e07af98e95c5edae1e4e4a90

        SHA1

        377c61e2131b402cce001e5cca30286d59d20805

        SHA256

        dd78a69914ace43a0b7308256340f78f0d86e04a8b95c0b2c4ff7d020a1f9bc0

        SHA512

        a424d658fab6ac6ab3bc3343a3149e3e8ecee3de8cc8c7b6e9b441fbb73d133e14badae313e7cb744acb41b757d0fc59e8f2f4275bda7c75185dc41a1ed0ea93

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3961800.exe
        Filesize

        273KB

        MD5

        92fed135d5bec4c3ec7778c3f8d083ed

        SHA1

        ebccf7aa7593047f7e772142f73dbc90fc2bf7ab

        SHA256

        6382f28cd2fa60122fd5fd398a54adeb4b414ef0b298d5ba69eba62db474f196

        SHA512

        e49bd18e686d3318bc05dca9a4ace7f5436004739b05da2484aa39efc02f4e6b115b946bb67e9c8931bfbb799c02211c2d2ed32b540d96a99dccdbed2b546203

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1242823.exe
        Filesize

        135KB

        MD5

        829594a606b4964b9765b515a29ba48b

        SHA1

        d45fb1887c8a997c099933b65a23cf325c1f3cc9

        SHA256

        90acb7fb1690f08c8e4eaaa69562f5eedc293931354d837af56fde4efd2c8395

        SHA512

        54a7e25464f64f4fe4d5b67463acf73e55ad89f17813396917bdb9cefc4e26229f78de70eb67402cd3e4fd0ce63927be0a6fbcf30f3c397522b1578d8c694f9a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9227346.exe
        Filesize

        176KB

        MD5

        0744dc2b3bef88efa8ab31db6a5a39d3

        SHA1

        a90039526e161d1d5c75e1260a0582a20a7549a5

        SHA256

        84188a001e91369d02b620248150981c85bdbe1de081999f5e25e3cf58c272bb

        SHA512

        5799fcc4ac875294a0b3744d7cec0cf997456d48372e8a6c886ceff6ed5cfdf0aabc3df3611addacb015b201dda7fab02c18bdba14851267c5b3ff61b8370b02

        Download Submit

      • memory/1220-25-0x0000000000D90000-0x0000000000DC0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/1220-26-0x0000000003080000-0x0000000003086000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1220-27-0x0000000005D60000-0x0000000006378000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1220-28-0x0000000005850000-0x000000000595A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1220-29-0x0000000005700000-0x0000000005712000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1220-30-0x0000000005780000-0x00000000057BC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1220-31-0x00000000057C0000-0x000000000580C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3688-21-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download