Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe
Resource
win10v2004-20241007-en
General
-
Target
583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe
-
Size
943KB
-
MD5
a29e809d44553ccd266f174ea49b2d51
-
SHA1
119559cd61e275cd468daa76d4797c7685154268
-
SHA256
583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d
-
SHA512
8cf0022787aaa741a270367137fef0e910832995ff21db7d0825c637a0c8208f3eb1fd1ff4bcf168fed27ee681206bd5c442f66c3dc662a1972d0cf4e4a567af
-
SSDEEP
24576:RyXSNrtnBivPFdpx0WbKdmNnsC6Ch+7LvQak3M+yoqKNi:EXSNrdjdm6C6CUPQak3Mp2
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/964-22-0x0000000004840000-0x000000000485A000-memory.dmp healer behavioral1/memory/964-24-0x0000000004C00000-0x0000000004C18000-memory.dmp healer behavioral1/memory/964-25-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-52-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-50-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-48-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-46-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-44-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-42-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-40-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-38-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-36-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-34-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-32-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-30-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-28-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/964-26-0x0000000004C00000-0x0000000004C12000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr626159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr626159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr626159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr626159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr626159.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr626159.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/448-60-0x0000000007140000-0x000000000717C000-memory.dmp family_redline behavioral1/memory/448-61-0x00000000071C0000-0x00000000071FA000-memory.dmp family_redline behavioral1/memory/448-71-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-79-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-95-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-94-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-91-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-89-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-87-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-85-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-83-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-77-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-75-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-73-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-69-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-81-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-67-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-65-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-63-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/448-62-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 532 un240096.exe 4920 un268820.exe 964 pr626159.exe 448 qu648139.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr626159.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr626159.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un240096.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un268820.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3028 964 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un268820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr626159.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu648139.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un240096.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 964 pr626159.exe 964 pr626159.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 964 pr626159.exe Token: SeDebugPrivilege 448 qu648139.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5068 wrote to memory of 532 5068 583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe 84 PID 5068 wrote to memory of 532 5068 583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe 84 PID 5068 wrote to memory of 532 5068 583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe 84 PID 532 wrote to memory of 4920 532 un240096.exe 85 PID 532 wrote to memory of 4920 532 un240096.exe 85 PID 532 wrote to memory of 4920 532 un240096.exe 85 PID 4920 wrote to memory of 964 4920 un268820.exe 87 PID 4920 wrote to memory of 964 4920 un268820.exe 87 PID 4920 wrote to memory of 964 4920 un268820.exe 87 PID 4920 wrote to memory of 448 4920 un268820.exe 100 PID 4920 wrote to memory of 448 4920 un268820.exe 100 PID 4920 wrote to memory of 448 4920 un268820.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe"C:\Users\Admin\AppData\Local\Temp\583bb263cd22e44143c2871a7f787dc56704fde908d09ad6000f6bf4d0da885d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un240096.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un240096.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un268820.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un268820.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr626159.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr626159.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 10125⤵
- Program crash
PID:3028
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu648139.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu648139.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 964 -ip 9641⤵PID:3920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
695KB
MD5a9e6a3be634bf01000c66d441618889a
SHA1facfbfa31e094fa29ad20f4bb68ee9e02b69afd2
SHA256bee5a83804b534864320d33d1dbcd28e495c9d831706addaf0760a1831328999
SHA512f935c154d605fc6f5c8670a04154b0f9d6e9d7d8df9377ea848e59a03010982b1a413015009270af436bb9c843e8a29fac6629257c721ae13930f1ae8d9be70c
-
Filesize
541KB
MD5f64b8d69bcaae2e59553f73cd4040e6c
SHA1bde6775941f318666424ccc0af259d052caed609
SHA256d884f3d690e5a0db56e119703f3591e9cb63952d44ae09467c8ee0edbacc363e
SHA512039137ea54607c3da6d4a5c284b2040882a6f0652d94cbff8bf112b701106271e968b2239033b3ca2d82fcf7d2da45e38b7993a76d717c2b4bbbc7d938001cf3
-
Filesize
278KB
MD566a3fcb7f5889b73570758b581abfe24
SHA13e39b0c92f43063866c7725b03f46851407bbd3d
SHA2562355403791a12ccd571cf44ec0451d605d563f04816dce5406f74560265a73f1
SHA5126a81dfd51478e86a2b09faab56f108cfca63634fb9d00a1eba42057806734b663bc0bac1a55fc2eb8a06a001ef4c0083def19b429505d7623c38b86229129800
-
Filesize
361KB
MD5a5393eae281839270006e2f299a3ecb5
SHA127f0deb89322b09bdd23591c129ad30698a46396
SHA25662387b38d4f9389377fa017bc045a423b49f267dd784f2743bdf30c40f9f1535
SHA512c8c2828fa3e8630d86ac7a10af7d2b76aa0c0ab67b34a855d8dc8d76af53e8d61e1c84fa565f19dc90558cbd856cfd994a9266fd4b59c8d1a25a5730376219c5