Overview

overview

10

Static

static

3

196993766d...e4.exe

windows10-2004-x64

10

2cb02eeff0...07.exe

windows10-2004-x64

10

515ca9dbb0...70.exe

windows10-2004-x64

10

637e68df5f...fc.exe

windows10-2004-x64

10

67adfef018...3f.exe

windows10-2004-x64

10

753ea0d141...ee.exe

windows10-2004-x64

10

75a099d51b...a2.exe

windows10-2004-x64

10

7bc60a53f2...61.exe

windows10-2004-x64

10

878c11674c...59.exe

windows10-2004-x64

10

905a82b666...03.exe

windows10-2004-x64

10

9e0acffebc...ef.exe

windows10-2004-x64

10

9e61b06119...c5.exe

windows10-2004-x64

10

a8e7ed480b...c2.exe

windows10-2004-x64

10

b55e0e5824...a8.exe

windows10-2004-x64

10

b6f3ae7c80...fd.exe

windows10-2004-x64

10

c3d6d3e893...ba.exe

windows10-2004-x64

10

d68f556e86...13.exe

windows10-2004-x64

10

f67e1f80fb...aa.exe

windows10-2004-x64

10

fb8a184cad...cb.exe

windows10-2004-x64

10

fe5b99ae2f...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    753ea0d14181cbd10e784c6def975e1b2a0adae8cdb71930dececfc455cd59ee.exe

  • Size

    479KB

  • MD5

    a4a68e09983abdde3e285e5412e70490

  • SHA1

    fcec46e9661c30c0052f8c692dda6ee7d650ec42

  • SHA256

    753ea0d14181cbd10e784c6def975e1b2a0adae8cdb71930dececfc455cd59ee

  • SHA512

    36f8f14140638670c77984e91648b0adcdef45baef323ffa097c6e62443cf89eed0ceea8e5fd49383adecc77aee7defc3180e8128fb288a459eaed9c684bd9ef

  • SSDEEP

    12288:TMrny90qC/ZEOjY0pO/LqG4cH+H8jJ9e:kyaZXZY/x4YJ4

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\753ea0d14181cbd10e784c6def975e1b2a0adae8cdb71930dececfc455cd59ee.exe
    "C:\Users\Admin\AppData\Local\Temp\753ea0d14181cbd10e784c6def975e1b2a0adae8cdb71930dececfc455cd59ee.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3960723.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3960723.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9289252.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9289252.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1044
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1088
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 552
            4⤵
            • Program crash
            PID:3868
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i2586180.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i2586180.exe
          3⤵
          • Executes dropped EXE
          PID:1760
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4760 -ip 4760
      1⤵
        PID:4212

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3960723.exe
        Filesize

        313KB

        MD5

        994505a690463dd76bbb0122a3b8b31b

        SHA1

        d112b408ee3274fe516266eb8fd855ca6aea2d20

        SHA256

        8499e6ac25294ac06c42071518f6fa869ab12d48bc8f295277f229091deb45ad

        SHA512

        7f6a7beae7d2352d059bd7afcc3c1915c5b8810f6f67b5bfa542d7b29e29960c5b73b2ddbd263940ae1f99deea389b58d5c78fae5931262b3becf5d2da7dd444

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9289252.exe
        Filesize

        218KB

        MD5

        a989cd1025c82550b07123f006679528

        SHA1

        6aa63c58e9d80265886e1130cc6cababf1c410a0

        SHA256

        143d97fb5ea09b86e17867efd0ad7d5feec4ac67e068acbba627a5ec20da3ee2

        SHA512

        cbf44d5c137eabf7cf6aa0c0053fb4e19122ffd74218ed8d5f11aa94d3fd7642f4bbc86b6363149d232517e9eca6aa2848617e6f2ba285b87cc73809ffd54b61

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i2586180.exe
        Filesize

        174KB

        MD5

        a54dd3680d32a0e8fa3c86a67901f40d

        SHA1

        7462c372febe8c30f8e18aa7422e2e159f0407b7

        SHA256

        a744ff6886f678dc9181dd85c53eb0ba8a55e654107bcdc2f1f9d09bbb8687da

        SHA512

        d404cad31ba160d255549d822e2f20d1c2c1df0fa77f7f8f3106f2701b0a6deda156ee927ba0f7b16fe35ad8a33a5df727691cfc4a4e248fd90df679be259f1c

        Download Submit
      • memory/1088-14-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1088-15-0x000000007450E000-0x000000007450F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1760-19-0x00000000001A0000-0x00000000001D0000-memory.dmp
        Filesize

        192KB

        Download
      • memory/1760-20-0x00000000023F0000-0x00000000023F6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1760-21-0x000000000A4C0000-0x000000000AAD8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/1760-23-0x0000000009F50000-0x0000000009F62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1760-24-0x0000000009FB0000-0x0000000009FEC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/1760-22-0x000000000A010000-0x000000000A11A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1760-25-0x0000000002370000-0x00000000023BC000-memory.dmp
        Filesize

        304KB

        Download