Overview

overview

10

Static

static

3

005cc897c6...01.exe

windows7-x64

3

005cc897c6...01.exe

windows10-2004-x64

10

0f5dadb4ff...d5.exe

windows10-2004-x64

10

15191ca573...45.exe

windows10-2004-x64

10

1f1cdd32ef...a5.exe

windows7-x64

3

1f1cdd32ef...a5.exe

windows10-2004-x64

10

33277efd72...bf.exe

windows7-x64

3

33277efd72...bf.exe

windows10-2004-x64

10

39b1b5acca...89.exe

windows10-2004-x64

10

41914bb3aa...45.exe

windows10-2004-x64

10

4dc93952d5...05.exe

windows10-2004-x64

10

636c6831e9...2d.exe

windows10-2004-x64

10

6371475aa9...ca.exe

windows10-2004-x64

10

6d98d2425a...11.exe

windows7-x64

3

6d98d2425a...11.exe

windows10-2004-x64

10

7d59382353...89.exe

windows7-x64

3

7d59382353...89.exe

windows10-2004-x64

10

7e9155d192...9c.exe

windows10-2004-x64

10

817be3f5a4...87.exe

windows10-2004-x64

10

84d690a678...8a.exe

windows10-2004-x64

10

8a833f1e2a...9a.exe

windows10-2004-x64

10

a6207c613c...04.exe

windows7-x64

3

a6207c613c...04.exe

windows10-2004-x64

10

b843b5d179...78.exe

windows10-2004-x64

10

bc0a361a97...2b.exe

windows10-2004-x64

10

ccede3ed34...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dc93952d5fe7ecacd61cc033cbd3cdb682618f54ff89b22880ba0684a40e205.exe

  • Size

    769KB

  • MD5

    a28e02cea1b7ab4227eb6f443baaa343

  • SHA1

    4e453fcdee3aa118a5309f8c4001d6348a153df2

  • SHA256

    4dc93952d5fe7ecacd61cc033cbd3cdb682618f54ff89b22880ba0684a40e205

  • SHA512

    daffff5dcddf3ac30b09019d9fbc0a0fe5d73de9a91bf192d2947f91f4cb1adb9e3c5142bdb5a373b203aea47fb7c35c5737aa60bbd03b3ca008f3de55e8b1dd

  • SSDEEP

    24576:AyAg9hkKCZrEzgPM+sf19KHtnLHJiLLx3Zm:HAumKVw29KNnNi3x3

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dc93952d5fe7ecacd61cc033cbd3cdb682618f54ff89b22880ba0684a40e205.exe
    "C:\Users\Admin\AppData\Local\Temp\4dc93952d5fe7ecacd61cc033cbd3cdb682618f54ff89b22880ba0684a40e205.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1280632.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1280632.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4259739.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4259739.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7067525.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7067525.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1200
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8842500.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8842500.exe
          4⤵
          • Executes dropped EXE
          PID:396
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:3684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1280632.exe
    Filesize

    493KB

    MD5

    14d4fa67a18aaada1644fc4dcc93596a

    SHA1

    d2db0e8278c0b57d06568226eddddf84763858a4

    SHA256

    e6925295a5cfdfaeaf0a5a31ee18e5fc986d8604c06b154354156463dbe75c62

    SHA512

    2d4aa7045a04eb13fca037dd1a667991398d98f3027e406839da813fdeb82ca570878f646119c24731e5dac4af62528cd12181a6dbc27c2ae864620e7c555b6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4259739.exe
    Filesize

    327KB

    MD5

    ee3092ac4282ceb8582ce9298f3c6acd

    SHA1

    971119c9b747e162ab3a53e3fbd0e1c34cf0a656

    SHA256

    c1fa2783a470f3ceedf70fe345456bd71a1bb5af4d284a7ad18b05600ccd65a4

    SHA512

    ae9cc6cb16aae4c12052c06a4775a1a336f43c54de2cac9d6b8d63e55d366b0dd92236ef679a849f06c4e049e1537037400678e3997153c19e8954513d7f36fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7067525.exe
    Filesize

    256KB

    MD5

    0b2b8cdcfe0ac349caf9180ea5c19b6a

    SHA1

    5ec6eaf29bee4a054786585874d7c06f34554f14

    SHA256

    bcf979e5c4785bce1c222d454afdafebeb4d4838dbecf4d1a805012fb182bf7d

    SHA512

    49936df995ee506a6abbf66871dd63dfe90567336323afea186dcc5ccd70defe183ae115ed526ea5babc559fd5108365ee56102e7e920af76af13d60a6f1691d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8842500.exe
    Filesize

    175KB

    MD5

    deeabb1c71c0c7d46203ca087cb11c16

    SHA1

    659c18947ddb81906bf0965574ea53fb0d63ca3e

    SHA256

    4f143fb700e8636254580c55580a5cb9dd3deeb6c7f67d59b30f7ddb4c764ef3

    SHA512

    e0731c58ed9ffd1fa64a0191c48f237e3c595d9f819ef4273ac91ccfa991460e17350aadca9d761ba6674b24b4a6d2145de2cbc57c916f0bfbf787909a8cadb7

    Download Submit

  • memory/396-25-0x0000000000470000-0x00000000004A0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/396-26-0x0000000000C90000-0x0000000000C96000-memory.dmp

    Filesize

    24KB

    Download

  • memory/396-27-0x0000000005490000-0x0000000005AA8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/396-28-0x0000000004F80000-0x000000000508A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/396-29-0x0000000004CF0000-0x0000000004D02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-30-0x0000000004E70000-0x0000000004EAC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/396-31-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1200-21-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download