Overview

overview

10

Static

static

3

0d301494f1...b9.exe

windows10-2004-x64

10

17123cde24...76.exe

windows10-2004-x64

10

3513e5a1be...0b.exe

windows10-2004-x64

10

3548eb3ee0...c3.exe

windows10-2004-x64

10

37bb007e1a...b5.exe

windows10-2004-x64

10

3b8019115c...d8.exe

windows10-2004-x64

10

3ba16fdd2a...8a.exe

windows10-2004-x64

10

3c47d4d72a...e8.exe

windows10-2004-x64

10

5598d9028e...fd.exe

windows7-x64

10

5598d9028e...fd.exe

windows10-2004-x64

10

5d95f47641...f4.exe

windows10-2004-x64

10

61d857a524...a5.exe

windows10-2004-x64

10

64f004d4a2...36.exe

windows10-2004-x64

10

7787b07a17...49.exe

windows10-2004-x64

10

7cc3996906...7e.exe

windows10-2004-x64

10

825d0619a8...ce.exe

windows10-2004-x64

10

9e6f3fd3f7...c2.exe

windows10-2004-x64

10

a49c96afc3...92.exe

windows10-2004-x64

10

e2945d600c...9e.exe

windows10-2004-x64

10

eb8cedd00b...3b.exe

windows10-2004-x64

10

f9bdee7f3d...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe

  • Size

    769KB

  • MD5

    9a6f01b6a183cc8030ef109090bc930c

  • SHA1

    989b8ebfddb6be08af8c05d125cc52307f5ccfd5

  • SHA256

    0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9

  • SHA512

    e6c73d0b9d8dd8799193de423d2bd02dfbaea092292c3db80939479dbd85e6254985e0190e755c0a4abdf56cacc3f18dcac9c78052738dbb597a6517f29013b5

  • SSDEEP

    12288:OMr0y90poZ86/f/VGQhOtInLrYkBWu372tumlxJFRw+O4burEqhjP7Fy:6yOMnkQgenHYkBWuLWvw2ur9Z74

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe
    "C:\Users\Admin\AppData\Local\Temp\0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3021455.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3021455.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0753398.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0753398.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9278150.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9278150.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3412
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:1668
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1392
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7723293.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7723293.exe
            4⤵
            • Executes dropped EXE
            PID:4452
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:3360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3021455.exe
      Filesize

      492KB

      MD5

      7ab1faf2f27a5213cd6cf05d39602003

      SHA1

      4add2452e3f2fa8c263c81ff19748dc21b70d261

      SHA256

      d6daa377760eac9826e8d95d2d876347bf9456f2b381dabc113c701d1992f13d

      SHA512

      1a6ac80389db4f1b52f2a693da86a7b42d497af585e2d68c13daede245cd76725b529522af80648eba4abd16538de9663d080dacf874ef79b4999b1d382096c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0753398.exe
      Filesize

      326KB

      MD5

      6f367b7b40b7baeee8e30cd1c9b75944

      SHA1

      d01daef05b83c33a3bbacec27a177772a360bb3c

      SHA256

      52119e44f5b27d313bed9c6690f546bb06e67c9f20f870dc9ae948e7b0f001ac

      SHA512

      4fb250cc239880aa0f666f3b87c30533589b13439dbeb5635e9f6be481c85ddeacb415b47afc14e22cdcaa208fd60d04b42cadf8b826ca6cc950e89ebb365015

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9278150.exe
      Filesize

      256KB

      MD5

      9b5106a50d76c40238864328ecb8ac9c

      SHA1

      93659d797d0bc1712fd6b6582e86edeb913db7fc

      SHA256

      044993d9b0489e3ce7ed08cc79623122808de97967ccd743b3b2c52eb9f5322e

      SHA512

      c6e8ca58cf4f438bced9f4e9a3ec40a302fc0f7a97c4d363a91bf30c0d5cd7c1ed0c04ae963ee5ab8afeaf061f24da7a34b4c5b89c363950d0b982428486c01b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7723293.exe
      Filesize

      175KB

      MD5

      dd864eaee1e3057f254b30a1c0b557f3

      SHA1

      8b24d67d4b142f0162677b77a1bc0fcf8f0431df

      SHA256

      12b5f44547fce7fc853e5a0594cac5200352403ddcb12a535da3281155ea9a32

      SHA512

      4082aba2a77a33e9f8a5c28f854c5e13cf7944f29059dff3f8945f4b0453c30b1797d6b1ca4b3a0b19239a5dbb4868c06e19bfc4658deede425214f4f21d9588

      Download Submit

    • memory/1392-21-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4452-25-0x0000000000E20000-0x0000000000E50000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4452-26-0x0000000001550000-0x0000000001556000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4452-27-0x000000000B200000-0x000000000B818000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4452-28-0x000000000ACF0000-0x000000000ADFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4452-29-0x000000000ABE0000-0x000000000ABF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4452-30-0x000000000AC40000-0x000000000AC7C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4452-31-0x0000000005250000-0x000000000529C000-memory.dmp

      Filesize

      304KB

      Download