Overview

overview

10

Static

static

3

0805913f50...13.exe

windows10-2004-x64

10

11eba51293...3a.exe

windows10-2004-x64

10

17a0568b20...3a.exe

windows10-2004-x64

10

346c46bc82...26.exe

windows10-2004-x64

10

4867af9d5d...1f.exe

windows10-2004-x64

10

5f2f269e1f...9a.exe

windows10-2004-x64

10

64e73ef21d...a1.exe

windows10-2004-x64

10

7c556f6f80...61.exe

windows10-2004-x64

10

8c970cc94c...d3.exe

windows10-2004-x64

10

9296923f57...24.exe

windows10-2004-x64

10

ae96a881fd...69.exe

windows10-2004-x64

10

b150b2b6ed...d5.exe

windows10-2004-x64

10

c1b0ce286b...51.exe

windows10-2004-x64

10

c1d1b117a2...35.exe

windows10-2004-x64

10

d876400b35...04.exe

windows10-2004-x64

10

eb3bd6af82...52.exe

windows10-2004-x64

10

eb7c2e9dc2...28.exe

windows10-2004-x64

10

ed2eb0d5dc...bf.exe

windows10-2004-x64

10

fc2a396813...13.exe

windows10-2004-x64

10

fd4ce916b7...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe

  • Size

    662KB

  • MD5

    ad556af301bc23d9d68e88347510597a

  • SHA1

    33c98a0a8322aa276c825a76dfbe90eb89adb0ed

  • SHA256

    9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24

  • SHA512

    13b7701cdd1b901df94c7c4dafb68bd37949c822aceb29aa55d04bb5084772c9886f9e8de81e4ed221cfb6c44fa101f395120c02d520fc9fcf03e42e2b80303d

  • SSDEEP

    12288:3Mr2y90oQvlJuZN/gE/AT4aV+nD/xybAP5fI8CR5dXyALD8J0v:RyRQvlcND/AT/V+tpP5fVCjdiALYJ0v

Score
10/10
healerredlinemrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
    "C:\Users\Admin\AppData\Local\Temp\9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4660
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 556
            5⤵
            • Program crash
            PID:3488
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
          4⤵
          • Executes dropped EXE
          PID:1736
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1240 -ip 1240
    1⤵
      PID:4700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
      Filesize

      440KB

      MD5

      16654be0a6b9fcc34c39b6e591340fe0

      SHA1

      be62555eb0ecfceea1dead4cc4374da86d433f73

      SHA256

      46e8bb0baf56bdb40cb17b8ad98db6d55568622f60c41273c8269b7045a2a209

      SHA512

      f4ac5c3d704abd49576680e3d483e7ed78ff00755eb0def9009ba8ded67aeae691f5a02c6e8b9ddd0d5ccc936e39f1efe64747d71917a9f41ed07aeb9685f10b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
      Filesize

      274KB

      MD5

      0c9441b51f1681088cd920785936c076

      SHA1

      aa49e5b1b01eb77d4a2db72ed0fb57e89d0ffd51

      SHA256

      3895ad643b9fb1fd943dc88b1218ab1f9ab229e098eff720b9ac0dacad0a3edf

      SHA512

      c90dd796609f000fa192abad2fe6e11193d70b59888d1fc259f78536f1c0f079a757df2e09272fa838f228debf22081e6a2e52232400ee469982ebcd56bae355

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
      Filesize

      135KB

      MD5

      748d8130ad48f5c7791666eeeba868db

      SHA1

      cc5ff50dd58d6f4b2968cd5720e484d584adb18e

      SHA256

      cc955cfcc6c535c64b2e255386637f87a91821144c766cc17320c7c0b3b8efde

      SHA512

      daebe7c16a0dfccfa9f86ffe04f58805925a4958be4ffa1455f7376b5026c92f69d3888453ba684c60a7e68d073f7af90e9473af574c3f2ea2d4d3443eecd806

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
      Filesize

      176KB

      MD5

      756f51fcbebaa6ed794be46e0e615858

      SHA1

      856acc1832bb654eb514b7df1fa882f3c59a097f

      SHA256

      3f741ae6dfc446f3e5f5ba6282a1245cc4fc847ed7d21303a9b0d8553e194c38

      SHA512

      b1a7e093bb8cf374c14416181aacaaaa5d8203489954a3b77053dd367b720078bc47eee369dd659a062aa758c5d555547f0d791377416464e5809e279cc183d6

      Download Submit

    • memory/1736-25-0x0000000000830000-0x0000000000860000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1736-26-0x00000000028A0000-0x00000000028A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1736-27-0x0000000005790000-0x0000000005DA8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1736-28-0x0000000005280000-0x000000000538A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1736-29-0x00000000051B0000-0x00000000051C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1736-30-0x0000000005210000-0x000000000524C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1736-31-0x0000000005390000-0x00000000053DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4660-21-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download