Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe
Resource
win10v2004-20241007-en
General
-
Target
7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe
-
Size
691KB
-
MD5
135e833eba52dc3a629f9db8dafa94a3
-
SHA1
20c2b9be22893d577396cc17a9f5a7d3cb29e650
-
SHA256
7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365
-
SHA512
b180bb2bfd94af9fa66dc84bde158a26df3b0e66594a047d397f6921be8557b294032b1e32e6ade770fe4b410e5ad34918ec54c525f0a92853c9dca6c6200d28
-
SSDEEP
12288:+y90YDZ6hErxzJBv0bVpBL3mqp4SuyCZR4V/e2m7zfKANB3P32xUL:+y/ldzJNYX3mfygsG2hANQOL
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3376-19-0x00000000022D0000-0x00000000022EA000-memory.dmp healer behavioral1/memory/3376-21-0x0000000002450000-0x0000000002468000-memory.dmp healer behavioral1/memory/3376-37-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-49-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-47-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-43-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-41-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-35-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-34-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-31-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-29-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-27-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-26-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-45-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-39-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-23-0x0000000002450000-0x0000000002463000-memory.dmp healer behavioral1/memory/3376-22-0x0000000002450000-0x0000000002463000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 72294122.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 72294122.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 72294122.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 72294122.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 72294122.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 72294122.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/files/0x000a000000023b8b-67.dat family_redline behavioral1/memory/2764-68-0x0000000002390000-0x00000000023CC000-memory.dmp family_redline behavioral1/memory/2764-70-0x00000000049B0000-0x00000000049EA000-memory.dmp family_redline behavioral1/memory/4288-71-0x0000000000700000-0x0000000000728000-memory.dmp family_redline behavioral1/memory/2764-93-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-101-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-99-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-97-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-95-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-91-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-89-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-87-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-85-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-83-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-81-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-79-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-77-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-75-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-73-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline behavioral1/memory/2764-72-0x00000000049B0000-0x00000000049E5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 1312 un278165.exe 3376 72294122.exe 3984 rk339003.exe 2764 rk339003.exe 4288 si610323.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 72294122.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 72294122.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un278165.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3984 set thread context of 2764 3984 rk339003.exe 96 -
Program crash 1 IoCs
pid pid_target Process procid_target 5044 3376 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72294122.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk339003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk339003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si610323.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un278165.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3376 72294122.exe 3376 72294122.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3376 72294122.exe Token: SeDebugPrivilege 2764 rk339003.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1312 2216 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe 83 PID 2216 wrote to memory of 1312 2216 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe 83 PID 2216 wrote to memory of 1312 2216 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe 83 PID 1312 wrote to memory of 3376 1312 un278165.exe 84 PID 1312 wrote to memory of 3376 1312 un278165.exe 84 PID 1312 wrote to memory of 3376 1312 un278165.exe 84 PID 1312 wrote to memory of 3984 1312 un278165.exe 95 PID 1312 wrote to memory of 3984 1312 un278165.exe 95 PID 1312 wrote to memory of 3984 1312 un278165.exe 95 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 3984 wrote to memory of 2764 3984 rk339003.exe 96 PID 2216 wrote to memory of 4288 2216 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe 97 PID 2216 wrote to memory of 4288 2216 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe 97 PID 2216 wrote to memory of 4288 2216 7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe"C:\Users\Admin\AppData\Local\Temp\7ab02532136b0f8dc42de866be5bac0cad35532b51776d2489f041c81961c365.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un278165.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un278165.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72294122.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72294122.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 10844⤵
- Program crash
PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk339003.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk339003.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk339003.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk339003.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si610323.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si610323.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3376 -ip 33761⤵PID:3164
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
537KB
MD512da2783e1b432da607735c52ce07dbf
SHA12ac7094fe57501e5f7f08c6d80f77c619434abc4
SHA256d87b2f4948b50d549980c6bcfa461f150d06eb4d11272832c95e16a0dcd762d7
SHA5122b8e49c1cd8f9f36b12612ed8515743a8c3910e1ce835635f4db6ebb1f6e05ff7193eacdc6c2f783df24da46acef12dbb0ae61648093302e907d93491a74ed92
-
Filesize
259KB
MD54b041848170889675eee3ef3a00f051e
SHA1e5d6b1e0a20b41f0f03c69125daa9a4e66dd014a
SHA25680dadce5be2f032ff070ad07aa321fcf8a02604d686fb59dcf9ba47b4c1ce9ab
SHA5124d92bbf0f2b0de9551f5c2d2b32b95befd963d9b85c1f574f359d152e87506728044231c6d19b6db4a49877b22dd32068bb6abe5b4f3a035080b51a7339d1989
-
Filesize
342KB
MD5d9482cf2d5c5624cab3098b6d6ba6a88
SHA1aedfc5a1b6fa76377d8d3f6c7c3bfff9b969820c
SHA256ecaa6197ed8732043962cd6c65af0d14570bb4b9442d415bee999e708418149c
SHA512b6e295a5b4591f99d285d036fed72066931c221cff0a2258df1235376bfe7eb13106943231407b6e1bccf685b0e5696cd294389b0e87d400ec7f2def4221ca93