Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe
Resource
win10v2004-20241007-en
General
-
Target
37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe
-
Size
703KB
-
MD5
51967bee388a2d86a95c23b1330fa283
-
SHA1
df3975632137dd8f60f3becaba1edd25cb8c7c2a
-
SHA256
37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4
-
SHA512
e45d03aab337a02679acb5aee4d09375dc69c85ac164c9af4b81dd5840a5d53202184d11a280a015e6b1699b1535b91af68b0b9c9f0daa93d7a1b4b16c7986e6
-
SSDEEP
12288:Sy90Ugm5em1P11oQO8hZCdykR1L+zdtSqf8vcPW2qWrZb2X:SyFPeI9ROmCpL+zdt1f8vcPW4rZc
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4380-18-0x00000000049C0000-0x00000000049DA000-memory.dmp healer behavioral1/memory/4380-20-0x0000000004E00000-0x0000000004E18000-memory.dmp healer behavioral1/memory/4380-48-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-46-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-42-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-40-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-39-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-36-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-34-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-32-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-26-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-24-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-22-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-21-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-45-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-30-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4380-28-0x0000000004E00000-0x0000000004E12000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr743130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr743130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr743130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr743130.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr743130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr743130.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/404-60-0x00000000048D0000-0x000000000490C000-memory.dmp family_redline behavioral1/memory/404-61-0x00000000077C0000-0x00000000077FA000-memory.dmp family_redline behavioral1/memory/404-73-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-95-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-93-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-91-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-89-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-87-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-85-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-83-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-81-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-79-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-77-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-75-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-71-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-69-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-67-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-65-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-63-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/404-62-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2800 un914891.exe 4380 pr743130.exe 404 qu304815.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr743130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr743130.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un914891.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4592 4380 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un914891.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr743130.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu304815.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4380 pr743130.exe 4380 pr743130.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4380 pr743130.exe Token: SeDebugPrivilege 404 qu304815.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2800 1820 37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe 86 PID 1820 wrote to memory of 2800 1820 37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe 86 PID 1820 wrote to memory of 2800 1820 37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe 86 PID 2800 wrote to memory of 4380 2800 un914891.exe 87 PID 2800 wrote to memory of 4380 2800 un914891.exe 87 PID 2800 wrote to memory of 4380 2800 un914891.exe 87 PID 2800 wrote to memory of 404 2800 un914891.exe 98 PID 2800 wrote to memory of 404 2800 un914891.exe 98 PID 2800 wrote to memory of 404 2800 un914891.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe"C:\Users\Admin\AppData\Local\Temp\37274c7c63e06e39158260f61d24da72bad6f55a545500009bbc0e4bfca552b4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un914891.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un914891.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr743130.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr743130.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 10164⤵
- Program crash
PID:4592
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu304815.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu304815.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4380 -ip 43801⤵PID:2820
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
549KB
MD5fa2872d9e084b2b16239f1c7043d212b
SHA1ffafe27ce350e6cb5a9309f9ff3f440645cac199
SHA25631d3c55eceb52c3d91fbd55bb16a58ce5f7cd14d633131d659091d01ffa32d5a
SHA5128e58e5fbb0ad611e722f87777055fa6841fce2d613ca84d6db4a51c90b107a741f0cabf2b31558fe1986e1239f3007d8ec169d3bf09e50e32626fb89ff89c5f3
-
Filesize
286KB
MD50536b0c4a5390885b2d57d2876c61400
SHA14e9830ee21b19b67390396a1acfbcdac026f91dd
SHA25625d5bae445b5819e899661a32aaef48a65ca61ff71b65f3086a6d505818da4a1
SHA5127bdaaa17a5b455bd5b20c0429265852f46aab78f86c77b2087ed919b8e0cf93d2fb6e75fd85d6063c6edff421c83e6daa7ae860161113a81531445c04ff011e7
-
Filesize
368KB
MD5b2caf88ddfacf725d3e3e8010509c407
SHA14d35585f6bcc5ac20bbc51e201a200a320515e0f
SHA25639d1e76c038ab6fbc08f1ebc4224b7e45558e114e4fe69fa888a7f856d534f44
SHA5129144ec0f606bbe99d8646be8c71bb5b519e3cd31e85d15cedfe007aa9e4804c5820ecec4bba89eb7e7b0dc5b509697a8f092b0b79a29e195a673d5b679ee9668