Overview

overview

10

Static

static

3

005cc897c6...01.exe

windows7-x64

3

005cc897c6...01.exe

windows10-2004-x64

10

0f5dadb4ff...d5.exe

windows10-2004-x64

10

15191ca573...45.exe

windows10-2004-x64

10

1f1cdd32ef...a5.exe

windows7-x64

3

1f1cdd32ef...a5.exe

windows10-2004-x64

10

33277efd72...bf.exe

windows7-x64

3

33277efd72...bf.exe

windows10-2004-x64

10

39b1b5acca...89.exe

windows10-2004-x64

10

41914bb3aa...45.exe

windows10-2004-x64

10

4dc93952d5...05.exe

windows10-2004-x64

10

636c6831e9...2d.exe

windows10-2004-x64

10

6371475aa9...ca.exe

windows10-2004-x64

10

6d98d2425a...11.exe

windows7-x64

3

6d98d2425a...11.exe

windows10-2004-x64

10

7d59382353...89.exe

windows7-x64

3

7d59382353...89.exe

windows10-2004-x64

10

7e9155d192...9c.exe

windows10-2004-x64

10

817be3f5a4...87.exe

windows10-2004-x64

10

84d690a678...8a.exe

windows10-2004-x64

10

8a833f1e2a...9a.exe

windows10-2004-x64

10

a6207c613c...04.exe

windows7-x64

3

a6207c613c...04.exe

windows10-2004-x64

10

b843b5d179...78.exe

windows10-2004-x64

10

bc0a361a97...2b.exe

windows10-2004-x64

10

ccede3ed34...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccede3ed348e14362603f903262b1aaa83c22032a82a06b2b9e809756507f214.exe

  • Size

    768KB

  • MD5

    a10dbc94561cd3672ce8a66c98c7cef5

  • SHA1

    f5b9d25680172f08547f81555e1fbae71aea7645

  • SHA256

    ccede3ed348e14362603f903262b1aaa83c22032a82a06b2b9e809756507f214

  • SHA512

    421dc7e3eac547f84a76be77b186d84fb520066ddbe9a2c55cef98364fb5f81a3aca9242f6e4b06c82740ea4263bbc679344f6bd7dbd12151b2ca34be8a0f455

  • SSDEEP

    12288:VMrzy90B7tZfk4w5OFKJZQVHqtN/kwjztmrR99wk6nDwJJHOfSQWrwC8:eyutZs75lZQ1urak1sJlYWr78

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccede3ed348e14362603f903262b1aaa83c22032a82a06b2b9e809756507f214.exe
    "C:\Users\Admin\AppData\Local\Temp\ccede3ed348e14362603f903262b1aaa83c22032a82a06b2b9e809756507f214.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5626403.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5626403.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0230251.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0230251.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4867795.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4867795.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:3936
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
                PID:3988
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                5⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1448
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1654027.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1654027.exe
              4⤵
              • Executes dropped EXE
              PID:3232
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:3852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5626403.exe
        Filesize

        492KB

        MD5

        b528d44a27db8a32e528531162757767

        SHA1

        4ece5e35e91e7db946c7669707d99f0fa7a2c445

        SHA256

        281b0933e00d88afc536e3cd104c9035872c2da12499dabbeb6423eee1cb06c2

        SHA512

        9f71d942079e66ee2556dc40bb547af4ae17a7605c7b020d75efb17cddc99f436e776b60a162a985721556fcff8bcca16df8c449e3f1761ac052f472b238448b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0230251.exe
        Filesize

        326KB

        MD5

        e56cd8079312f8f5e511305a6ef499df

        SHA1

        72bbcdceac2f2b3564c4484344aea58adf130d81

        SHA256

        2e2dad733d4cb3be5a0fea50c7a7657ed99667fb0c7bc2c1e5a7d9a78aa30d65

        SHA512

        526fd66a1c6337582a55791a1e2fb4db5c0c843b30aabe70663dfd690b58c4448a4e3b7d94ad30ad585cbeb9492e18004f323df943d324a8ea5fd224064f8985

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4867795.exe
        Filesize

        256KB

        MD5

        d5b1f568ad1103abc1817c9caf5f7db1

        SHA1

        819a213e850374ba12b4feeae2f636d4b4f2714a

        SHA256

        e973d6abee2865ab472a8b88b0421628609998480ba8fc2937e39e94638f6ff2

        SHA512

        335c61adba34c54d0fac6a52884045ee5c51e3d0250a480ff039954883511812a5476100df52285d660161884ec2d6acbb3b2cb90e8282749aeae82f49e05db1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1654027.exe
        Filesize

        175KB

        MD5

        78628aea2f72a2de5dbcb2e6b22a2410

        SHA1

        9f5990fba200c63a629c77435d5914353f2dc805

        SHA256

        668bed93e62fc454a0f1fadfed471eedbf8e377fce9bf464a80efb39ae967931

        SHA512

        d68d57ac5b4eb5e82a2b6462e28f1d79464c1c61081764ac38e4c6fd32de9268c4eadcf647f38914e61395da516e12066f4029b748000d7701bdf00843073716

        Download Submit

      • memory/1448-21-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3232-25-0x0000000000ED0000-0x0000000000F00000-memory.dmp

        Filesize

        192KB

        Download

      • memory/3232-26-0x00000000056B0000-0x00000000056B6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3232-27-0x0000000005E40000-0x0000000006458000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3232-28-0x0000000005930000-0x0000000005A3A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3232-29-0x0000000005860000-0x0000000005872000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3232-30-0x00000000058C0000-0x00000000058FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3232-31-0x0000000005A40000-0x0000000005A8C000-memory.dmp

        Filesize

        304KB

        Download