Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe
Resource
win10v2004-20241007-en
General
-
Target
85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe
-
Size
966KB
-
MD5
c7ad3c8e9c80c92634bb4f070b2369bb
-
SHA1
d0ba9fba8c322ee8db823735ef6676265efd7299
-
SHA256
85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0
-
SHA512
648f91f81df095f3ee4efc262dd28190df1e132626cf474d66c6f221dbac99eef5238cd80335db3a1657a6a8b420918c610f810e4ab910b55ebea6b46b22fe51
-
SSDEEP
24576:EyiYVQcDzEerAoLuO1oxC4FOcTGK0UvDq:TNVQcDAaTroxC4FOcT
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4916-22-0x0000000004990000-0x00000000049AA000-memory.dmp healer behavioral1/memory/4916-24-0x00000000072A0000-0x00000000072B8000-memory.dmp healer behavioral1/memory/4916-52-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-50-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-48-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-46-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-44-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-42-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-40-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-38-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-36-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-34-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-32-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-31-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-28-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-26-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/4916-25-0x00000000072A0000-0x00000000072B2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr795408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr795408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr795408.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr795408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr795408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr795408.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3684-60-0x0000000004A00000-0x0000000004A3C000-memory.dmp family_redline behavioral1/memory/3684-61-0x0000000004CC0000-0x0000000004CFA000-memory.dmp family_redline behavioral1/memory/3684-65-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-73-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-95-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-91-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-89-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-87-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-85-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-83-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-81-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-77-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-75-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-71-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-69-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-67-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-93-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-79-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-63-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline behavioral1/memory/3684-62-0x0000000004CC0000-0x0000000004CF5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4340 un317602.exe 3416 un209347.exe 4916 pr795408.exe 3684 qu541519.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr795408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr795408.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un317602.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un209347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3452 4916 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un317602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un209347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr795408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu541519.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4916 pr795408.exe 4916 pr795408.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4916 pr795408.exe Token: SeDebugPrivilege 3684 qu541519.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5116 wrote to memory of 4340 5116 85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe 83 PID 5116 wrote to memory of 4340 5116 85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe 83 PID 5116 wrote to memory of 4340 5116 85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe 83 PID 4340 wrote to memory of 3416 4340 un317602.exe 86 PID 4340 wrote to memory of 3416 4340 un317602.exe 86 PID 4340 wrote to memory of 3416 4340 un317602.exe 86 PID 3416 wrote to memory of 4916 3416 un209347.exe 87 PID 3416 wrote to memory of 4916 3416 un209347.exe 87 PID 3416 wrote to memory of 4916 3416 un209347.exe 87 PID 3416 wrote to memory of 3684 3416 un209347.exe 100 PID 3416 wrote to memory of 3684 3416 un209347.exe 100 PID 3416 wrote to memory of 3684 3416 un209347.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe"C:\Users\Admin\AppData\Local\Temp\85815574a947db48abab8e9a97d1d7b0846d1e0970bbb649966069d32ad2e7b0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un317602.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un317602.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un209347.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un209347.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr795408.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr795408.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 10805⤵
- Program crash
PID:3452
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu541519.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu541519.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4916 -ip 49161⤵PID:4836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
707KB
MD5261a95822f5d349191063fbac23d5f09
SHA1d3899e0798f38f90caaf620dfc5a3e15d569e5bf
SHA25626bd5301a6730839b80131d829f63a15de006dd6f6edcd9185c5712ab0edc26b
SHA512a9eed6e2de893a240e11fc5a6116cb77cddac4b28325cc4fb9429220febe59fdf54e6661b403b8551e8b006afef487acf6f7b282f11b5d72e71099ede0339977
-
Filesize
553KB
MD509653d5bafa9caace3c1efc3f94a54a9
SHA176051101eea0baec22d17f63ccf1d0b86759f746
SHA256eb885fb0ac53f4a0d7f412339543e08bc761adba6aee4676bd34d9345dd675d5
SHA512ad735acc9c7132eb7cae9d127d194ae2c3c649dab7f6f886b8fb92b91a2246d6cffb93fa504f87071bc6c6f3850b6f5489884d03dbd6be6577b2f107198aa0d3
-
Filesize
299KB
MD5e753a97106bfe3a9a81e47630e52aabc
SHA1a3c8f6c127c72914ede224b6725604ead6b3bc01
SHA256681db31d7d83fbcb05401fcbf06f50c44be709e5ca842e191436e753c49a301b
SHA5129a28b4dbd59c938b5aad8b6b674dcd094f4a4dfb21ecc780b7f28445ec2cc47785664b31d37743687449a587912b71753515a66d58a55d77a907fc5f6d35a551
-
Filesize
381KB
MD5026ae7eb502ffec9ec82872e8fe4e903
SHA11d399053536ed6895bfed34be875ee90c160aae5
SHA256458e3ee407781bbbd6eabe5d3581f91b1433393f558e3aec8f5efe54dfc4245e
SHA512a219567527d3ae890158e83585778cb4c85086c64d9f45cb3a709ab2e63183c683b8487297df012ce78135eb02b6db35faf9c017bf0404c9fb43dce535236399