Overview

overview

10

Static

static

3

0a7a53ccfc...4d.exe

windows10-2004-x64

10

15fd14ba21...b7.exe

windows10-2004-x64

10

1ded3ef8a6...eb.exe

windows10-2004-x64

10

211c4e6a11...13.exe

windows10-2004-x64

10

2143b79ffb...90.exe

windows10-2004-x64

10

262bcbb295...79.exe

windows10-2004-x64

10

2db3eb661b...10.exe

windows10-2004-x64

10

38f672e7cb...04.exe

windows10-2004-x64

10

3a8f22ea92...1f.exe

windows10-2004-x64

10

4ad2507250...50.exe

windows10-2004-x64

10

4d264f872f...4d.exe

windows10-2004-x64

10

5dcad04e9c...98.exe

windows10-2004-x64

10

838e53197e...9e.exe

windows10-2004-x64

10

9fb3613b82...eb.exe

windows10-2004-x64

10

ada5308889...6d.exe

windows10-2004-x64

10

b7edb218fe...67.exe

windows10-2004-x64

10

c7a8b128f1...e0.exe

windows7-x64

10

c7a8b128f1...e0.exe

windows10-2004-x64

10

d0c2f16d85...04.exe

windows10-2004-x64

10

d686e13696...c7.exe

windows10-2004-x64

10

f2cce909ec...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe

  • Size

    769KB

  • MD5

    c8963418e0ba703c180db37e66a4babc

  • SHA1

    1f0a035883f81dd6dd193e1a631c2ec7531b9c94

  • SHA256

    b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867

  • SHA512

    ac977b73200c79e3e7b1e8778d357b3f191bb0fd38e914a1f196b8ac9efb16abb6a21d1dd3abfa801f36002afcb7e29e8e158352436bbdae56810389347b7788

  • SSDEEP

    24576:NyX5m44V68ZM4J/xordNEv6fn4f6EXvC4Iy:oXSnJ/yBNAmnGL/C

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe
    "C:\Users\Admin\AppData\Local\Temp\b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6876133.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6876133.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4490853.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4490853.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3368
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6168470.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6168470.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1184
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4964
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4435932.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4435932.exe
          4⤵
          • Executes dropped EXE
          PID:3968
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6876133.exe
    Filesize

    492KB

    MD5

    01d46bde7fc53994a1b39020c318188b

    SHA1

    7ca1e8e2f63e260a7afa9753023742802f5399d5

    SHA256

    62521523d4d4953b009df317dbbab658ca69f7008cb6d115297b89c869b40e4d

    SHA512

    318971c5f0e444fe2a095bf27e4adb93f44ff270f00008346fd26a8da3b6c7239f031e4ee8b91e0f75013d1f59d6a7a87840a998a4f1d4714012dfb4202cf532

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4490853.exe
    Filesize

    326KB

    MD5

    37a9b371365e0a63893c668b0fccf592

    SHA1

    aba5205366f2f31f50c2350cd67eb1f64314a796

    SHA256

    fa26968c3423f164bb6b039c5776a9c9460f3b372caa6d81649255914f4f7597

    SHA512

    0d010732e8ab01f850d53c2a133d1d0be5a59670d9df2dad149662f9eafc652195d02a759fea422680cc03626c730642fde5d2768213a3761e8578ddd4d0d1e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6168470.exe
    Filesize

    256KB

    MD5

    ade42a5ceb7d5b10b259b4e1f2860a43

    SHA1

    818cfafaecdbb3002583ab60e2b56c622c05d708

    SHA256

    50c284acdac45b74f9c4b1014b0f036679496573c973688e3de5b9e7b5b377fe

    SHA512

    3b7b7a270cad3b072e51aeb0281c56b081a8aa203b2ce070f7075e005d344a7fad7fefba5d0acd520d8f07ad1e3362b1f7c04fb91034cf348c899f6da5edaf88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4435932.exe
    Filesize

    175KB

    MD5

    acc92df15c13ce7b30b404f7782a274c

    SHA1

    29985f1006d5d4f7e9130db589b5cb7af2fed455

    SHA256

    6a1859d4406e577ddafd1fe3e2cd10ec6e2806026b29877b5a5581bd591a367d

    SHA512

    9c70d0e3b182dd98a093d0cc6896a146e2bafc706d60d1fcfc11d84e766d51edc4bfaa86fd4c1acce67c8ab2e5d63a73d9f492634ddfdeedd955ace46eb1348e

    Download Submit

  • memory/3968-25-0x0000000000A60000-0x0000000000A90000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3968-26-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3968-27-0x0000000005A70000-0x0000000006088000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3968-28-0x0000000005560000-0x000000000566A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3968-29-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3968-30-0x0000000005490000-0x00000000054CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3968-31-0x00000000054D0000-0x000000000551C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4964-21-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download