Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe
Resource
win10v2004-20241007-en
General
-
Target
6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe
-
Size
700KB
-
MD5
870e9ab678ee4dc285abf7fa7e57ab5c
-
SHA1
1d8c86852a8902c76ec7189e7778635d10b15aab
-
SHA256
6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59
-
SHA512
aa61cad3ada10cb3e0b1e674a2ba3261468c82fb4f75e993e9a9e0be5d2cd650029565d577ac58c6d32b0610d10abcbb1b9b65abcfd5113bff1e3cf95ef09f6d
-
SSDEEP
12288:9y90igM9RacAnu4VwAisvwAZ6wo7x3rwbjzSTvYv9mSIqiAqyXOyE:9yfg+RdIu4Vl/T6v7lsjzhvd/CyPE
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2100-18-0x0000000004810000-0x000000000482A000-memory.dmp healer behavioral1/memory/2100-20-0x00000000048E0000-0x00000000048F8000-memory.dmp healer behavioral1/memory/2100-24-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-48-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-46-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-44-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-42-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-40-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-38-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-36-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-34-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-32-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-30-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-29-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-26-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-21-0x00000000048E0000-0x00000000048F2000-memory.dmp healer behavioral1/memory/2100-22-0x00000000048E0000-0x00000000048F2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 97297657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 97297657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 97297657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 97297657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 97297657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 97297657.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/404-60-0x0000000004AA0000-0x0000000004ADC000-memory.dmp family_redline behavioral1/memory/404-61-0x0000000007760000-0x000000000779A000-memory.dmp family_redline behavioral1/memory/404-83-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-95-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-93-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-91-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-89-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-87-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-85-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-81-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-79-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-77-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-75-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-73-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-71-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-69-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-67-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-65-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-63-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/404-62-0x0000000007760000-0x0000000007795000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1184 un770446.exe 2100 97297657.exe 404 rk345435.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 97297657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 97297657.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un770446.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 768 2100 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un770446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97297657.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk345435.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2100 97297657.exe 2100 97297657.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2100 97297657.exe Token: SeDebugPrivilege 404 rk345435.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3572 wrote to memory of 1184 3572 6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe 88 PID 3572 wrote to memory of 1184 3572 6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe 88 PID 3572 wrote to memory of 1184 3572 6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe 88 PID 1184 wrote to memory of 2100 1184 un770446.exe 89 PID 1184 wrote to memory of 2100 1184 un770446.exe 89 PID 1184 wrote to memory of 2100 1184 un770446.exe 89 PID 1184 wrote to memory of 404 1184 un770446.exe 101 PID 1184 wrote to memory of 404 1184 un770446.exe 101 PID 1184 wrote to memory of 404 1184 un770446.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe"C:\Users\Admin\AppData\Local\Temp\6485f72d6dd24c7886a518bba2e857336e63ab84102129e2b5f454c45d6d6a59.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un770446.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un770446.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97297657.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97297657.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 10844⤵
- Program crash
PID:768
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk345435.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk345435.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2100 -ip 21001⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546KB
MD52df42e270042bc79b9970f35df842f79
SHA113991519dc91da6627c02b7c651af5a65f23ea3c
SHA25605dde7312c316da00303c5e6692c37c45c8899a7b4a5d64ca0704f9ad6c94426
SHA5121c264bcc717f891c272346f2fa2ea87b95c26b9ce03f6f465733979daf63f06c731f28246dc4622160088c5a1cf88d1a2dd3e3618052eb30aa482ddfeb7d91f4
-
Filesize
269KB
MD566a146674d27555a907ee1626a176c82
SHA15dd83a6a0ebc91aa8f188994f93625fb37c6a363
SHA25638e944a4bcfa8ff970d23896647173f9616178923a36b41477bb6540e3bb59fd
SHA5123a45656d9c86839312a69fcf98c62fad72fc17f7a5cb50dbe0cba65fa9a165055b86c6d8e84d52936fbac2bd6ac877488e0e086b31a59a7a6c63ed65158597f1
-
Filesize
353KB
MD529a7a3908628bda65a27921cd0949e75
SHA1c04b735e868b91a8725c09219ae4704c4aa6e7b0
SHA256a64d512802e7e679262d42ea2a24a400b1f5a15cd28109c3aed74968cdf267a0
SHA5120267fc36f70118a306c63e7a1a21643433ab2431add18cd45d3285de3d502f8eb6a1b6fecaee59ebf62ae9fead8ac5eeeb0b5d2e4fe6954e517518b4345626f2