Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe
Resource
win10v2004-20241007-en
General
-
Target
f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe
-
Size
695KB
-
MD5
8980a9db3873b3dc19cb280771636d2c
-
SHA1
fe12c476cbac5048ee14d95fbbde435aa5cca59a
-
SHA256
f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc
-
SHA512
7c040129a03f22c0eff9b05aeab9368fa98c7fa6e11385cdb3d2a5ad64a678790c102faa7f78ef4d64ace54f5387659c799b164feae02d31af01a38b79ebb48a
-
SSDEEP
12288:ny90+3BuJmBGuO/sz/+tZ9COJq9Imxr8ZXLWT6rD18bAKdA+u3TCk:ny/uJRqz/+tXCVb6m6rD18bAuCCk
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3644-15-0x0000000004830000-0x000000000484A000-memory.dmp healer behavioral1/memory/3644-17-0x0000000004B80000-0x0000000004B98000-memory.dmp healer behavioral1/memory/3644-28-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-46-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-44-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-42-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-40-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-38-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-36-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-34-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-32-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-30-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-22-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-20-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-19-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-26-0x0000000004B80000-0x0000000004B93000-memory.dmp healer behavioral1/memory/3644-24-0x0000000004B80000-0x0000000004B93000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 77251448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 77251448.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 77251448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 77251448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 77251448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 77251448.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4568-55-0x0000000007140000-0x000000000717C000-memory.dmp family_redline behavioral1/memory/4568-56-0x0000000007770000-0x00000000077AA000-memory.dmp family_redline behavioral1/memory/4568-60-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-72-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-90-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-88-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-86-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-85-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-82-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-80-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-78-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-76-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-74-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-70-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-68-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-66-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-64-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-62-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-58-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4568-57-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1688 un982593.exe 3644 77251448.exe 4568 rk023796.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 77251448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 77251448.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un982593.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5080 3644 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un982593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77251448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk023796.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3644 77251448.exe 3644 77251448.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3644 77251448.exe Token: SeDebugPrivilege 4568 rk023796.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5056 wrote to memory of 1688 5056 f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe 84 PID 5056 wrote to memory of 1688 5056 f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe 84 PID 5056 wrote to memory of 1688 5056 f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe 84 PID 1688 wrote to memory of 3644 1688 un982593.exe 86 PID 1688 wrote to memory of 3644 1688 un982593.exe 86 PID 1688 wrote to memory of 3644 1688 un982593.exe 86 PID 1688 wrote to memory of 4568 1688 un982593.exe 96 PID 1688 wrote to memory of 4568 1688 un982593.exe 96 PID 1688 wrote to memory of 4568 1688 un982593.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe"C:\Users\Admin\AppData\Local\Temp\f1b35a805ca57290655c7db8112f5ab9388eef8d2e7cfe8d4b9a5c6d411f63cc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un982593.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un982593.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77251448.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77251448.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 10884⤵
- Program crash
PID:5080
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk023796.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk023796.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3644 -ip 36441⤵PID:3244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD5dc4e4d669ee667f9e50e7d383986e1b1
SHA16399d21ad94d2d3e97c4a98fa532ff5fca124071
SHA256535cdbc4879e81356d3c9e1d83b414c3f39e6c29a618a4cd2af99125f8f3879e
SHA51298e7d7820d9676b26762b7b51b1db5dbf9ac96e9186d801c010cade987ed391e191e80fb5aeab816b4310558c5c55557fb6c7b8688d3116efb9f4708ed669768
-
Filesize
258KB
MD5b582c4713bac7e1aaa73285697222f6e
SHA1753dfa5a18857b743aee7405c22f7b0987d23450
SHA2568228ec55b8360cc0895a320912c970155316ebfccc5fe4efb0647c69f507eb1d
SHA512a24ca97130602fd2cac94ae04e44af51aa3f538c12dc1528db200daf50f1c40b4fe883a6d4f7d8bfbae0505b8df43b396d72b2d4c0baebb43822776c3ec3cf65
-
Filesize
340KB
MD56b2882ac5118675e8ea83cd62887c449
SHA1473b8579fd1f46e01d951b547790004fa718534a
SHA2569490d92fe152c6af45eee9569ad9cbd46b38127bc2670527bd72ca8a30a02e4b
SHA512961877dba91efe6c53d93f4df461b2dae7dd1caa575294610fea1b795c41cb61d750a31fd3327785b3231a20c66637ee9b5b83ec2c85d10e9800cb4b2b091ce4