Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe
Resource
win10v2004-20241007-en
General
-
Target
ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe
-
Size
690KB
-
MD5
3189d1b8a1a8d51c05af732377f00fe2
-
SHA1
8a0c7a8328afcb59ca7683519c17e65a57865d78
-
SHA256
ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34
-
SHA512
54cf30a84988921052a7ecdf236116a655995323ca4048344202f231c3d8c8d436bacf3b54f150e27b7a2d30a447e3071d6bd18ae2106164f83446572bfb646b
-
SSDEEP
12288:ey90PwJ5PvfNuWZ0E1gSDaTUBOKPZqhZ2iy04lD2/mxQPeaka:eypp0u5yZ2T92/Yla
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1964-19-0x0000000002420000-0x000000000243A000-memory.dmp healer behavioral1/memory/1964-21-0x0000000004FB0000-0x0000000004FC8000-memory.dmp healer behavioral1/memory/1964-35-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-49-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-48-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-45-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-43-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-41-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-39-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-37-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-33-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-31-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-29-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-27-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-25-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-23-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer behavioral1/memory/1964-22-0x0000000004FB0000-0x0000000004FC3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 64127825.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 64127825.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 64127825.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 64127825.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 64127825.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 64127825.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4696-60-0x0000000002560000-0x000000000259C000-memory.dmp family_redline behavioral1/memory/4696-61-0x00000000025F0000-0x000000000262A000-memory.dmp family_redline behavioral1/memory/4696-69-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-77-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-75-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-73-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-71-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-85-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-67-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-65-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-63-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-62-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-95-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-93-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-91-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-89-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-87-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-83-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-82-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline behavioral1/memory/4696-79-0x00000000025F0000-0x0000000002625000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3160 un516722.exe 1964 64127825.exe 4696 rk663454.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 64127825.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 64127825.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un516722.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1464 1964 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk663454.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un516722.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64127825.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1964 64127825.exe 1964 64127825.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1964 64127825.exe Token: SeDebugPrivilege 4696 rk663454.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4352 wrote to memory of 3160 4352 ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe 83 PID 4352 wrote to memory of 3160 4352 ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe 83 PID 4352 wrote to memory of 3160 4352 ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe 83 PID 3160 wrote to memory of 1964 3160 un516722.exe 84 PID 3160 wrote to memory of 1964 3160 un516722.exe 84 PID 3160 wrote to memory of 1964 3160 un516722.exe 84 PID 3160 wrote to memory of 4696 3160 un516722.exe 98 PID 3160 wrote to memory of 4696 3160 un516722.exe 98 PID 3160 wrote to memory of 4696 3160 un516722.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe"C:\Users\Admin\AppData\Local\Temp\ab2f235d205473d9c034562b255bc94867b126d3f4a63ae0947ff2b0eeefde34.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un516722.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un516722.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\64127825.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\64127825.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 10364⤵
- Program crash
PID:1464
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk663454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk663454.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1964 -ip 19641⤵PID:4912
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD5f920796126e5a114868007042c823dc0
SHA1deb6b2267582c1359e335997c7ebb7a7c0e6633c
SHA2560155e26458f4315efc9e2af556be6248b86b9ce1fe079008f32c05f0ea81c854
SHA51259c41771d2721c53fa9fcbb0bf7db953271d41953eba7bb3c0e0d6b4b34e54734221f1ef4ee401e0c8eeedf0de732f2f3350f3608af12de85edd11a68c86cfcd
-
Filesize
259KB
MD5b42101ff23b3f40df56254f72bb99439
SHA1ec9a534fe1652f576e54a077b9329260339ff5ea
SHA256435110f8c7ab4b1d1403d2189f675f3040be33522033a7625052bde575667905
SHA5122feb26c6348b4c49ce8b02391132d916c4e575f94b5042edd16fd4f0377372eb7cc6e9f64913ee3855a4b71f14b6a6e12f25d3fb1614d639340700067c627b86
-
Filesize
341KB
MD55fb471dadbcf84f68d83fe84573461f1
SHA1b25249fc9262652b72a23db9470509cc0112ceb3
SHA2567aa75dbbdcea9f09ae64492280158f00bef2fd4c47473f2b84ab336d352768ff
SHA512719e599d696cea6f1bbbeb6574af10fd7339c2268b576a58b9cab19d2165212f0fc14a2057248453291f258146f58ce36027e03203ef89661e74996f759c11aa