Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe
Resource
win10v2004-20241007-en
General
-
Target
b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe
-
Size
1.0MB
-
MD5
adb060fa1374a212355529ef044e2484
-
SHA1
53694464de0e1a748440b50005b401240e62acb8
-
SHA256
b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a
-
SHA512
a3859a79288d6e5087c1917f5c304f6610f1717b9fc7bc8fa5de7e85def752ccdd56d2032559cb0d1b72e245c74ac1a8cc1f75873fff15941f38495db308d9b0
-
SSDEEP
24576:xyhOi27ILV3Q54lDpoQZYvPWAsWWCXrsgmBdhNkYt7ON:khfP3Q5+7amPYXggWO
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3620-23-0x0000000002780000-0x000000000279A000-memory.dmp healer behavioral1/memory/3620-25-0x0000000004DA0000-0x0000000004DB8000-memory.dmp healer behavioral1/memory/3620-53-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-51-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3620-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr178941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr178941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr178941.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr178941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr178941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr178941.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1988-62-0x0000000002800000-0x000000000283C000-memory.dmp family_redline behavioral1/memory/1988-63-0x0000000004E10000-0x0000000004E4A000-memory.dmp family_redline behavioral1/memory/1988-75-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-97-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-95-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-93-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-91-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-89-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-87-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-85-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-83-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-81-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-79-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-77-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-73-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-71-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-69-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-67-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-65-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/1988-64-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4492 un730204.exe 4972 un368033.exe 3620 pr178941.exe 1988 qu754103.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr178941.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr178941.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un730204.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un368033.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1524 3620 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr178941.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu754103.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un730204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un368033.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3620 pr178941.exe 3620 pr178941.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3620 pr178941.exe Token: SeDebugPrivilege 1988 qu754103.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1496 wrote to memory of 4492 1496 b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe 84 PID 1496 wrote to memory of 4492 1496 b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe 84 PID 1496 wrote to memory of 4492 1496 b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe 84 PID 4492 wrote to memory of 4972 4492 un730204.exe 85 PID 4492 wrote to memory of 4972 4492 un730204.exe 85 PID 4492 wrote to memory of 4972 4492 un730204.exe 85 PID 4972 wrote to memory of 3620 4972 un368033.exe 86 PID 4972 wrote to memory of 3620 4972 un368033.exe 86 PID 4972 wrote to memory of 3620 4972 un368033.exe 86 PID 4972 wrote to memory of 1988 4972 un368033.exe 98 PID 4972 wrote to memory of 1988 4972 un368033.exe 98 PID 4972 wrote to memory of 1988 4972 un368033.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe"C:\Users\Admin\AppData\Local\Temp\b896c1fa2f1af00e61f4eaba3d23f3a2add81b6b5315f14089d314ca927b612a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730204.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730204.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un368033.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un368033.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr178941.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr178941.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 10805⤵
- Program crash
PID:1524
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu754103.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu754103.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3620 -ip 36201⤵PID:3348
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
761KB
MD58a60494ce5eaa19cf0da119fc192b304
SHA12acfee6ff514aec5bb11bab15a6b5dbe17f5a964
SHA2569de3ae74214953569128cc79e8d6a410d43060e17e57e5907b0b4d68ff5d1869
SHA512b6df0fa398e784eaa3e8de6626a92404e8703f5b8c6cf479fdafa3462d1badaf7441d1d4ab91941fc6106b365b1011563c54d5258b500c650f6b718b8bc4bcb2
-
Filesize
608KB
MD509269ceb20dfc0bf5b4e99a1350849f1
SHA1f132b5835d365a3e0f747d4e87e638480646a81a
SHA256bcc9b90ee96fe8a533588571bb289ab5c4b1b79b89148f889dcc5522209133d7
SHA51270402062fad720565db7fc92454a9d7fb21f6866590f64cbd616756f4c9ae04354499feeed2deda6b948cc81b0ef9b0a41bdbbfcf04b688930564174b035652b
-
Filesize
405KB
MD5222b69a2b65eb01320129cbb431aaf15
SHA187bd300a7ee56b7d67d147806b23275a14505e6c
SHA2567255d77c9da1141c271f81dfca5be49f880192b930b1835acfe96d3f3f4e111a
SHA51271f78f1ac68e5e86832dc46908b5e61b635efc2bbc5b1fa13be60a7840273dbadd200b3be054e7369a777a8e2933fc01fd0540a951eb838ea025383d885a8a86
-
Filesize
487KB
MD5e3795d527f4cefe87dec80967995aa96
SHA167e702cb9fa4e93b4d6cca993061a6e7af63ca55
SHA256dbb26b68de9ae5c3cecbc35587166d96c2781bf61d54875b4d08e2b37d36d9a1
SHA51213b35decd606f7c26520460cd79326b35c11c0c90c75523055f16e38f032e286715d27fd8ad6631cfe8d8860ba434a0f4c54e588678692b518a7e09bbecae2f8