Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe
Resource
win10v2004-20241007-en
General
-
Target
832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe
-
Size
697KB
-
MD5
a258cbf75906073cc70f705df281025c
-
SHA1
a9c4a8cae5777883ab4c46f43a604bbbe0f8e7b0
-
SHA256
832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365
-
SHA512
8b2ef4d073a4c438d5a07225b1382757e80636580283689f662ffe018de808c627f105583d18a3315922c4f4cae8d90bf56fd800dc747f4392368425242b6759
-
SSDEEP
12288:Zy906GmY0R68tmAFCY82Ydv9a6WTTEUlBHUKgjTr89gj/GtUYNHm6wQh:Zy/Yr8tXFxm9WEaB0KgjP89gj406w4
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2396-18-0x0000000004800000-0x000000000481A000-memory.dmp healer behavioral1/memory/2396-20-0x0000000004A20000-0x0000000004A38000-memory.dmp healer behavioral1/memory/2396-42-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-48-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-46-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-44-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-40-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-38-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-36-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-34-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-32-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-30-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-28-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-26-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-24-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-22-0x0000000004A20000-0x0000000004A33000-memory.dmp healer behavioral1/memory/2396-21-0x0000000004A20000-0x0000000004A33000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 19379554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 19379554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 19379554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 19379554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 19379554.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 19379554.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3544-60-0x0000000004BD0000-0x0000000004C0C000-memory.dmp family_redline behavioral1/memory/3544-61-0x00000000070D0000-0x000000000710A000-memory.dmp family_redline behavioral1/memory/3544-65-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-73-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-95-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-93-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-92-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-87-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-85-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-83-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-81-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-79-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-77-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-75-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-71-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-69-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-67-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-89-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-63-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline behavioral1/memory/3544-62-0x00000000070D0000-0x0000000007105000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2260 un452656.exe 2396 19379554.exe 3544 rk347010.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 19379554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 19379554.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un452656.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2620 2396 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19379554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk347010.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un452656.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2396 19379554.exe 2396 19379554.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 19379554.exe Token: SeDebugPrivilege 3544 rk347010.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2260 2192 832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe 83 PID 2192 wrote to memory of 2260 2192 832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe 83 PID 2192 wrote to memory of 2260 2192 832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe 83 PID 2260 wrote to memory of 2396 2260 un452656.exe 84 PID 2260 wrote to memory of 2396 2260 un452656.exe 84 PID 2260 wrote to memory of 2396 2260 un452656.exe 84 PID 2260 wrote to memory of 3544 2260 un452656.exe 95 PID 2260 wrote to memory of 3544 2260 un452656.exe 95 PID 2260 wrote to memory of 3544 2260 un452656.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe"C:\Users\Admin\AppData\Local\Temp\832eca59de3f5f6be9e83401d5d8bb723bc42fab48c92165d7b9afadc6cd4365.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un452656.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un452656.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19379554.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19379554.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 10804⤵
- Program crash
PID:2620
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk347010.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk347010.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2396 -ip 23961⤵PID:1988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
543KB
MD5b8e8b3033ef1f0deca001294e8eb9be9
SHA13fb65ab92dc85e4c7aaaa2358e3f32ac5951d081
SHA256171e0a3630932ef901442f22fd75ce73db6df3cd7e970ee55c27738cb39eeb04
SHA5124f7855f25425b8188e39c826fac3a22fa41708955acb04e90b3e021fc7fc471538e45023bfee67c2364630f266f6a794d9dcc7b5978712d14aaf2f8ecbf9f6c2
-
Filesize
265KB
MD56d92b36a3c98cf8fa4f7bf8729c5aa58
SHA1e5b743af225f670cfc79eb62157b91a8c79d0dce
SHA256029952fcc71ea8cbd361df9c4cbf65acd717c479348b559a8dec89517c0f4230
SHA512de2f5d2f41fb82efec6b3ee8ba92121ee19e9899ee9206510f9e4019f0c7ca974e278e8866fb3d1fa9e67d740f4ff538cba514e3cecde0bcb306f9254d36bf4d
-
Filesize
347KB
MD56773e238ed0191d67b900e5c78774f20
SHA161dbd0fad26412c19a11852501ed0cf49ce9da94
SHA256edfdb17c21bc0a739193448951c14f1c79dd849f22e3a5955315aa139e9c3347
SHA5122e204da9c0cd97858b837f5c724ac6a375bd2057b854c998ab9bde804a5dd5d20929244200f480c119fe7bc84b22888b0a2d685bd260568d451e3c02a836164c