Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:01

General

  • Target

    2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe

  • Size

    488KB

  • MD5

    b4456f54d46a916c787fee11c2735e5e

  • SHA1

    3386c3cc568dd8a18630c83d0290a291ba4d4768

  • SHA256

    2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3

  • SHA512

    d89d7cc89c1cdc5c3c57cc88ed1703debdd71c8dbfe54f88969e7c9d779e4b63b69dbf920da74d6ea25026a26eacd5366898a14a9a68f0b82aaf68cd89450d89

  • SSDEEP

    12288:6MrMy90Ra4LuBX9x408STlV23wI0wosCZa:Sy1hX9eSL2AI0hsCZa

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe
    "C:\Users\Admin\AppData\Local\Temp\2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2140
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 148
          4⤵
          • Program crash
          PID:3256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe
        3⤵
        • Executes dropped EXE
        PID:3956
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3516 -ip 3516
    1⤵
      PID:228
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:680

      Network

      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        152.107.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        152.107.17.2.in-addr.arpa
        IN PTR
        Response
        152.107.17.2.in-addr.arpa
        IN PTR
        a2-17-107-152deploystaticakamaitechnologiescom
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        138.107.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.107.17.2.in-addr.arpa
        IN PTR
        Response
        138.107.17.2.in-addr.arpa
        IN PTR
        a2-17-107-138deploystaticakamaitechnologiescom
      • flag-us
        DNS
        11.173.189.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        11.173.189.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • 142.250.187.234:443
        46 B
        40 B
        1
        1
      • 77.91.124.82:19071
        i8891989.exe
        260 B
        5
      • 13.107.253.64:443
        46 B
        40 B
        1
        1
      • 77.91.124.82:19071
        i8891989.exe
        260 B
        5
      • 77.91.124.82:19071
        i8891989.exe
        260 B
        5
      • 77.91.124.82:19071
        i8891989.exe
        260 B
        5
      • 77.91.124.82:19071
        i8891989.exe
        260 B
        5
      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        152.107.17.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        152.107.17.2.in-addr.arpa

      • 8.8.8.8:53
        86.23.85.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        86.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        138.107.17.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        138.107.17.2.in-addr.arpa

      • 8.8.8.8:53
        11.173.189.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        11.173.189.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exe

        Filesize

        322KB

        MD5

        357c9d1b11bb54f0ceee235e799a57f0

        SHA1

        768fdee562dcfc3d75b5776a20fae7ef21de5365

        SHA256

        b586c245950108152ecaa3de4d096bce7c135b1728e239f41d77addae714d719

        SHA512

        c276bc9647542e9e1547306e93130f6e2c01e0e16f28589b48fe9cb6d03e4da6fe0a32eb7b3d026e9b9e757139297fdfaad5e8f302d07993e8eeff2dbb127188

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exe

        Filesize

        228KB

        MD5

        9bfd0a60c784aa4c49a35bfe5d05e239

        SHA1

        9fab6ca87c5fe550fca76942b029f858dc694fb7

        SHA256

        e8b0c37aa06e643d671d14772d1e0171e483a50effebb40e4bb4a4ffdcd91ab8

        SHA512

        06e7bdb928632f5448b2df78188aa7cf4a9a1d1843d7930f0a2226becf56c1f8925f7294d297e9e9aa914aed96325adb504d23a4e8f885fbcac4040d1a2c46c6

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe

        Filesize

        175KB

        MD5

        5dc41ff83ff2780d1205fb71ac826c24

        SHA1

        2285a27913b0fa18f5d3642a73de9e8a6a54eb52

        SHA256

        b7c282b7d35a72e352057fb6972e1f085c12528660cbdb4938a4df85723793fc

        SHA512

        69dc5891313039573e938baf311a7ae25bdd15671f1ac9f7e2ddd04145e06fb886206b072f611782d6ab13175414653c1306cab2f7fce03a12c88a9255e7f794

      • memory/2140-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/2140-15-0x00000000742DE000-0x00000000742DF000-memory.dmp

        Filesize

        4KB

      • memory/3956-19-0x00000000002D0000-0x0000000000300000-memory.dmp

        Filesize

        192KB

      • memory/3956-20-0x0000000000D10000-0x0000000000D16000-memory.dmp

        Filesize

        24KB

      • memory/3956-21-0x000000000A690000-0x000000000ACA8000-memory.dmp

        Filesize

        6.1MB

      • memory/3956-22-0x000000000A180000-0x000000000A28A000-memory.dmp

        Filesize

        1.0MB

      • memory/3956-23-0x000000000A090000-0x000000000A0A2000-memory.dmp

        Filesize

        72KB

      • memory/3956-24-0x000000000A0F0000-0x000000000A12C000-memory.dmp

        Filesize

        240KB

      • memory/3956-25-0x000000000A130000-0x000000000A17C000-memory.dmp

        Filesize

        304KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.