Overview

overview

10

Static

static

3

06f1b755da...d3.exe

windows10-2004-x64

10

14b33a31c1...19.exe

windows10-2004-x64

10

16f3c19a7f...1a.exe

windows10-2004-x64

10

192ce44be6...d3.exe

windows10-2004-x64

10

208bd49be4...cf.exe

windows10-2004-x64

10

2ae8e0e720...19.exe

windows10-2004-x64

10

2b74e820a6...32.exe

windows10-2004-x64

10

396631ba37...a0.exe

windows10-2004-x64

10

777259b2de...25.exe

windows10-2004-x64

10

7f06170b1d...e6.exe

windows10-2004-x64

10

80f9db3963...66.exe

windows10-2004-x64

10

8d2837f05f...42.exe

windows10-2004-x64

10

9a7ee6b801...e4.exe

windows10-2004-x64

10

9c8e4ed081...a3.exe

windows10-2004-x64

10

a68c5e94f5...52.exe

windows10-2004-x64

10

aaed2c62a2...28.exe

windows10-2004-x64

10

e097574588...fe.exe

windows10-2004-x64

10

e256d9f4b9...eb.exe

windows10-2004-x64

10

f02caa1867...71.exe

windows10-2004-x64

10

f7447a8c0b...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe

  • Size

    661KB

  • MD5

    cdca3895f27cdc05ca4e3805722b13a8

  • SHA1

    908e4fd065b858e327ed442c9db06f432c5b7522

  • SHA256

    06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3

  • SHA512

    b36b19510dae31d34dd68c965c94da203ca1b03234aa01b9975b05f9f987552039ee7d52e867861e5bd9267e0b85442bef26fb8e6a4981e6c903f3ad936a3bbd

  • SSDEEP

    12288:eMrCy90WnmXRO3Rrm7fhF/4ZwsSdqSZEiAjyjElCydS4U:Qyfb3ELf4ZStGiAjt7U

Score
10/10
healerredlinemrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe
    "C:\Users\Admin\AppData\Local\Temp\06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5175657.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5175657.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3685577.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3685577.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4661559.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4661559.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4540
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 580
            5⤵
            • Program crash
            PID:3008
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5252901.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5252901.exe
          4⤵
          • Executes dropped EXE
          PID:3404
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4304 -ip 4304
    1⤵
      PID:4640
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5175657.exe
      Filesize

      439KB

      MD5

      82c2dcd3e890b891daf81c3600d6da0e

      SHA1

      671d44987089d06443e56b08c54a6c8ca752c3a7

      SHA256

      aba797f86aa10cbe1ea057a0cf68b568968f71b740e5d14bb022807182e8c856

      SHA512

      c40fc5b7dff5ec28f23589e866c2542ad71d5e8e4ac050fbb0c2237b253f6771260cdf2d0d1d9933237dc1cceb0a0349ce36bedf0d7be7e1eed9546bbdf582f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3685577.exe
      Filesize

      274KB

      MD5

      d9a5924fb00359f603b947d166ea8fce

      SHA1

      468c20527a1412fac4730ddbbf248c6f08a6c6c6

      SHA256

      9b52d62baec33690e34eea446c7f7165e72e1ea506e41ff769e343c954b13903

      SHA512

      a395a2cea38a5def99726009dac37ba982bca9f9a5c4c1c7b4143f3cb04f3dd4c2807cb670da42930b8bfd3d76088de1ee009bee73584ecb994827537a8ebe74

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4661559.exe
      Filesize

      135KB

      MD5

      bcf2bb2e46cd8488a0a38269889f2cd2

      SHA1

      5c3c8ae0c0712ffef23712b0946911fbc60078ac

      SHA256

      a097cc474cd30f8aac5902e038ceda538afeec7316c9e1ea90b026922883e076

      SHA512

      d4a92bb730dac146ba9008aaa6d1f96bc820abe78b3b802f6d011015596f8efc8c8aa8400b5413636c1ef3b98ba7fd9f5638ea4ce59357f48ff024262f2cdc47

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5252901.exe
      Filesize

      176KB

      MD5

      3b263541ddf6b8748982234900908d2c

      SHA1

      1635c81931db27220acd3daf3c495e85ae2e8557

      SHA256

      285e4ba4ca45f302191b3a69b35bc740db4243acfcfac022b58e9f8b03a094d6

      SHA512

      d7a82beb2ff1607bd3efa69faae45a35a01179b3eb26b9e31ad1cc99e679be284e0a97e127a71f4fe90c764c0fdd3c70bb5c37d221df738f27713ad3846a46ce

      Download Submit

    • memory/3404-25-0x00000000000B0000-0x00000000000E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3404-26-0x0000000002260000-0x0000000002266000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3404-27-0x0000000005050000-0x0000000005668000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3404-29-0x0000000004A30000-0x0000000004A42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3404-28-0x0000000004B40000-0x0000000004C4A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3404-30-0x0000000004A90000-0x0000000004ACC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3404-31-0x0000000004AE0000-0x0000000004B2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4540-21-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download