Overview

overview

10

Static

static

3

0a7a53ccfc...4d.exe

windows10-2004-x64

10

15fd14ba21...b7.exe

windows10-2004-x64

10

1ded3ef8a6...eb.exe

windows10-2004-x64

10

211c4e6a11...13.exe

windows10-2004-x64

10

2143b79ffb...90.exe

windows10-2004-x64

10

262bcbb295...79.exe

windows10-2004-x64

10

2db3eb661b...10.exe

windows10-2004-x64

10

38f672e7cb...04.exe

windows10-2004-x64

10

3a8f22ea92...1f.exe

windows10-2004-x64

10

4ad2507250...50.exe

windows10-2004-x64

10

4d264f872f...4d.exe

windows10-2004-x64

10

5dcad04e9c...98.exe

windows10-2004-x64

10

838e53197e...9e.exe

windows10-2004-x64

10

9fb3613b82...eb.exe

windows10-2004-x64

10

ada5308889...6d.exe

windows10-2004-x64

10

b7edb218fe...67.exe

windows10-2004-x64

10

c7a8b128f1...e0.exe

windows7-x64

10

c7a8b128f1...e0.exe

windows10-2004-x64

10

d0c2f16d85...04.exe

windows10-2004-x64

10

d686e13696...c7.exe

windows10-2004-x64

10

f2cce909ec...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe

  • Size

    1.1MB

  • MD5

    7cd7a01c2f80541e608d5d23296eb636

  • SHA1

    b37ab77e3fabfa5c6b2ae1da51e4a8b9b109a667

  • SHA256

    0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d

  • SHA512

    9a3a3020ca964ba97cbe51c3fed6f7e20db50279b065d38969044fdf7b1ea211cd666704f02d93cd5759e64c024422a021207006c887d9b965f8f33314098c22

  • SSDEEP

    24576:7y5At6OE2X7xTSNsnb7OAoSLsjhCNHOen5QG7J0PvZftv:u5vOECWNaboE0E5QG7J0PD

Score
10/10
healerredlinebubendropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
    "C:\Users\Admin\AppData\Local\Temp\0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6295458.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6295458.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0207371.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0207371.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9212893.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9212893.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9517128.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9517128.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3096
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:2812
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2500
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 140
                6⤵
                • Program crash
                PID:1640
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7143551.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7143551.exe
              5⤵
              • Executes dropped EXE
              PID:3268
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3096 -ip 3096
      1⤵
        PID:2868

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6295458.exe
        Filesize

        1020KB

        MD5

        c732444b1a4b6342cd32fe983744dc11

        SHA1

        4dbfaad3b0b6bbaafa3ca8a4591deef16cd1c656

        SHA256

        dc1f709edc0b02aae429e065036e9052183f1b2db3aa11152238df7f6ce36898

        SHA512

        640cc9e61501399f4b8594a1a12cc39d7b7081bad916c72f623968520a2fd825e51f314924b9f10e0d453b00853a04fc98ae7edd39a8d69d2419c0ccf3d2498f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0207371.exe
        Filesize

        628KB

        MD5

        ec5d3174d1e156a7c5e44bcb4dca767b

        SHA1

        d62f698a93eec7f720b4881c93a2dade7a039768

        SHA256

        e15387bd2b9cd563ab53c15dd9f0a30f3bf2ade0746ebf7bbf14ab503e0e7e96

        SHA512

        509f7dd06e17b8eb75f91bcd2ba7894010216c72e9ab67eb7ac554f92a35dee671a645677b8a6e919de136a70e5962f16d4e4edb38ed6deeedf45fac28ce45f9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9212893.exe
        Filesize

        443KB

        MD5

        a841924ba81d0edf6b2bf18f9d9ee88c

        SHA1

        82f725085c8cd7b8c9af9c179c5474c8093979f7

        SHA256

        ca83228a0ff1a05d928e0ac0862a446eb07850dbe41902d91b95eb0b827413e0

        SHA512

        7cd7b0693e4e2e2585fe139b36dffc1dfe318b39a7fbb2ab715141df5bf18a935d6a3033ea0938816cf84d46eeee73122e8b468451d5b54eee538df06f95d50f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9517128.exe
        Filesize

        861KB

        MD5

        c8e6b5a0dcbfea40d9258abc35f44d62

        SHA1

        04a23d2e6d95167eab063395efdfc0587f93982f

        SHA256

        81a1a268668faf4d41746eca6fef423e405402d66f7d274a87ec3f9fd2ed5fbd

        SHA512

        374aea9bf311f66279ad0e3b34e8bd8ce55873d98b6edca5af5063930746758ae1cff42b6e383edfb0059c725a075c7c74ce19bd0cd937555d0c1d5812c8feef

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7143551.exe
        Filesize

        174KB

        MD5

        6d6f11e15dcc95716394a624f19bd912

        SHA1

        b21bfb5435495745689f57bc8414c93ef19bb417

        SHA256

        b71ae2e2ae8aef48a34f10f01d767ab7baf5ce0a6523d7efa98a28fd6cd2fe11

        SHA512

        ed7ada9b4850302757366555afc7a3242d5fc71fcb6304afbcb6d725693696a2c39c2c33b11ef2eb96499c36d1bfbd874e953959a8e536f9674c39896ccc310d

        Download Submit
      • memory/2500-28-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3268-32-0x0000000000660000-0x0000000000690000-memory.dmp
        Filesize

        192KB

        Download
      • memory/3268-33-0x0000000000D10000-0x0000000000D16000-memory.dmp
        Filesize

        24KB

        Download
      • memory/3268-34-0x0000000005650000-0x0000000005C68000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/3268-36-0x0000000004EF0000-0x0000000004F02000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3268-35-0x0000000005140000-0x000000000524A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3268-37-0x0000000005070000-0x00000000050AC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3268-38-0x00000000050B0000-0x00000000050FC000-memory.dmp
        Filesize

        304KB

        Download