Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe
Resource
win10v2004-20241007-en
General
-
Target
3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe
-
Size
674KB
-
MD5
c2d95d5f4b15f1960082e5bbd038fcb5
-
SHA1
aafe96572833887d5b2ebcca433a59c30f6159fb
-
SHA256
3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5
-
SHA512
28c71b9785f735475e3c0d52d152ed957b7255f43e2463c8d1be4903648bd53619fa54988b46a6cac61a325cfc10fb6c7f0791fade917b33ec59d30770136c26
-
SSDEEP
12288:Ry908n9DEnqdtJ0P7KTfa5+TrfqhL579fYVtL5yVj1CLQ0M3qN:RyBnZdtJ0PReShLd9UL5ynCQVG
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4120-15-0x0000000002260000-0x000000000227A000-memory.dmp healer behavioral1/memory/4120-18-0x0000000004F40000-0x0000000004F58000-memory.dmp healer behavioral1/memory/4120-47-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-45-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-43-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-41-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-39-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-37-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-35-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-33-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-31-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-29-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-27-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-25-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-23-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-21-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4120-20-0x0000000004F40000-0x0000000004F53000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 88805179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 88805179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 88805179.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 88805179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 88805179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 88805179.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/5024-56-0x00000000023F0000-0x000000000242C000-memory.dmp family_redline behavioral1/memory/5024-57-0x0000000004AB0000-0x0000000004AEA000-memory.dmp family_redline behavioral1/memory/5024-61-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-65-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-94-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-91-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-89-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-87-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-83-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-81-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-79-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-77-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-75-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-73-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-71-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-69-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-67-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-63-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-85-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-59-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline behavioral1/memory/5024-58-0x0000000004AB0000-0x0000000004AE5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1556 st051241.exe 4120 88805179.exe 5024 kp694173.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 88805179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 88805179.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st051241.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88805179.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp694173.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st051241.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4120 88805179.exe 4120 88805179.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4120 88805179.exe Token: SeDebugPrivilege 5024 kp694173.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1556 2788 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe 85 PID 2788 wrote to memory of 1556 2788 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe 85 PID 2788 wrote to memory of 1556 2788 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe 85 PID 1556 wrote to memory of 4120 1556 st051241.exe 86 PID 1556 wrote to memory of 4120 1556 st051241.exe 86 PID 1556 wrote to memory of 4120 1556 st051241.exe 86 PID 1556 wrote to memory of 5024 1556 st051241.exe 102 PID 1556 wrote to memory of 5024 1556 st051241.exe 102 PID 1556 wrote to memory of 5024 1556 st051241.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe"C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD54e00448f514bc360d2b3ba0d32ba3a9c
SHA11898f427a14b4aa1bdecb82cc2e6b681123ad2b8
SHA2566777a827a4fca11d9d9c894c8ba94ae7e4a548e7d4511ad3835f3cdbff60f5f5
SHA51240389bc5330f05a26fc167ee754a5ae51ce7aa679ab95648547db906161c16f62cfff248bac6b814edfaf0e66194d03af7dc4d36f66f2f1830cac747e72a604b
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
416KB
MD5284f780c9cd27de884b5813a0c4bca48
SHA1c98967626737555b220edeb8e70f459c3e7cee3e
SHA2568e7894415b1c4890a3d9ea1ae90bcf90c60c174a3f91dee7bafe271691a87bce
SHA5123641c8e5e5a000f9b0200a7b20dfe6c5edc3a0cb21a5f4514621c864e27fb4654420dd01685dfb6442acb59b622a015bab31bfcf0835d4a762eef5112efae6d3