Overview

overview

10

Static

static

3

0805913f50...13.exe

windows10-2004-x64

10

11eba51293...3a.exe

windows10-2004-x64

10

17a0568b20...3a.exe

windows10-2004-x64

10

346c46bc82...26.exe

windows10-2004-x64

10

4867af9d5d...1f.exe

windows10-2004-x64

10

5f2f269e1f...9a.exe

windows10-2004-x64

10

64e73ef21d...a1.exe

windows10-2004-x64

10

7c556f6f80...61.exe

windows10-2004-x64

10

8c970cc94c...d3.exe

windows10-2004-x64

10

9296923f57...24.exe

windows10-2004-x64

10

ae96a881fd...69.exe

windows10-2004-x64

10

b150b2b6ed...d5.exe

windows10-2004-x64

10

c1b0ce286b...51.exe

windows10-2004-x64

10

c1d1b117a2...35.exe

windows10-2004-x64

10

d876400b35...04.exe

windows10-2004-x64

10

eb3bd6af82...52.exe

windows10-2004-x64

10

eb7c2e9dc2...28.exe

windows10-2004-x64

10

ed2eb0d5dc...bf.exe

windows10-2004-x64

10

fc2a396813...13.exe

windows10-2004-x64

10

fd4ce916b7...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe

  • Size

    662KB

  • MD5

    ad556af301bc23d9d68e88347510597a

  • SHA1

    33c98a0a8322aa276c825a76dfbe90eb89adb0ed

  • SHA256

    9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24

  • SHA512

    13b7701cdd1b901df94c7c4dafb68bd37949c822aceb29aa55d04bb5084772c9886f9e8de81e4ed221cfb6c44fa101f395120c02d520fc9fcf03e42e2b80303d

  • SSDEEP

    12288:3Mr2y90oQvlJuZN/gE/AT4aV+nD/xybAP5fI8CR5dXyALD8J0v:RyRQvlcND/AT/V+tpP5fVCjdiALYJ0v

Score
10/10
healerredlinemrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
    "C:\Users\Admin\AppData\Local\Temp\9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4288
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1548
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 148
            5⤵
            • Program crash
            PID:2160
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
          4⤵
          • Executes dropped EXE
          PID:2484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4288 -ip 4288
    1⤵
      PID:4692
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
        Filesize

        440KB

        MD5

        16654be0a6b9fcc34c39b6e591340fe0

        SHA1

        be62555eb0ecfceea1dead4cc4374da86d433f73

        SHA256

        46e8bb0baf56bdb40cb17b8ad98db6d55568622f60c41273c8269b7045a2a209

        SHA512

        f4ac5c3d704abd49576680e3d483e7ed78ff00755eb0def9009ba8ded67aeae691f5a02c6e8b9ddd0d5ccc936e39f1efe64747d71917a9f41ed07aeb9685f10b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
        Filesize

        274KB

        MD5

        0c9441b51f1681088cd920785936c076

        SHA1

        aa49e5b1b01eb77d4a2db72ed0fb57e89d0ffd51

        SHA256

        3895ad643b9fb1fd943dc88b1218ab1f9ab229e098eff720b9ac0dacad0a3edf

        SHA512

        c90dd796609f000fa192abad2fe6e11193d70b59888d1fc259f78536f1c0f079a757df2e09272fa838f228debf22081e6a2e52232400ee469982ebcd56bae355

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
        Filesize

        135KB

        MD5

        748d8130ad48f5c7791666eeeba868db

        SHA1

        cc5ff50dd58d6f4b2968cd5720e484d584adb18e

        SHA256

        cc955cfcc6c535c64b2e255386637f87a91821144c766cc17320c7c0b3b8efde

        SHA512

        daebe7c16a0dfccfa9f86ffe04f58805925a4958be4ffa1455f7376b5026c92f69d3888453ba684c60a7e68d073f7af90e9473af574c3f2ea2d4d3443eecd806

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
        Filesize

        176KB

        MD5

        756f51fcbebaa6ed794be46e0e615858

        SHA1

        856acc1832bb654eb514b7df1fa882f3c59a097f

        SHA256

        3f741ae6dfc446f3e5f5ba6282a1245cc4fc847ed7d21303a9b0d8553e194c38

        SHA512

        b1a7e093bb8cf374c14416181aacaaaa5d8203489954a3b77053dd367b720078bc47eee369dd659a062aa758c5d555547f0d791377416464e5809e279cc183d6

        Download Submit

      • memory/1548-21-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2484-25-0x0000000000100000-0x0000000000130000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2484-26-0x0000000002450000-0x0000000002456000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2484-27-0x000000000A3F0000-0x000000000AA08000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2484-28-0x0000000009F70000-0x000000000A07A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2484-29-0x0000000009EA0000-0x0000000009EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2484-30-0x0000000009F00000-0x0000000009F3C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2484-31-0x000000000A080000-0x000000000A0CC000-memory.dmp

        Filesize

        304KB

        Download