Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe
Resource
win10v2004-20241007-en
General
-
Target
1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe
-
Size
689KB
-
MD5
34c1d684ebcd654b45aea2dc4d1e86bc
-
SHA1
08814ba63c43e5acc851dfd125298cb0882833a5
-
SHA256
1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84
-
SHA512
a1448fa245024c2271da3eae8740e18e569bc87a0f52dead70e4786838a6ad45d5a562de6e71f5da6a88f3e68be511f8f308a03b6cdd355b7c3c3e4f81e428da
-
SSDEEP
12288:ty90kgxikUwSjhuph1dDExQB3zZIJPGiBiMj/qNbrLBrLF64ST/z9a2rKCW0+7:tyYxinwSjUp9DEGzZCGioMuNb3BrLF6u
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/116-19-0x0000000002250000-0x000000000226A000-memory.dmp healer behavioral1/memory/116-21-0x0000000002500000-0x0000000002518000-memory.dmp healer behavioral1/memory/116-47-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-49-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-45-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-43-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-41-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-39-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-37-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-36-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-33-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-31-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-29-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-27-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-25-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-23-0x0000000002500000-0x0000000002513000-memory.dmp healer behavioral1/memory/116-22-0x0000000002500000-0x0000000002513000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 65099622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 65099622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 65099622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 65099622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 65099622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 65099622.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4644-61-0x00000000023B0000-0x00000000023EC000-memory.dmp family_redline behavioral1/memory/4644-62-0x0000000004A50000-0x0000000004A8A000-memory.dmp family_redline behavioral1/memory/4644-70-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-82-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-96-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-94-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-92-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-90-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-88-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-86-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-84-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-80-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-78-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-76-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-74-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-72-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-68-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-66-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-64-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline behavioral1/memory/4644-63-0x0000000004A50000-0x0000000004A85000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5064 un641977.exe 116 65099622.exe 4644 rk133285.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 65099622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 65099622.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un641977.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2812 116 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un641977.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65099622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk133285.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 116 65099622.exe 116 65099622.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 116 65099622.exe Token: SeDebugPrivilege 4644 rk133285.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2936 wrote to memory of 5064 2936 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe 84 PID 2936 wrote to memory of 5064 2936 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe 84 PID 2936 wrote to memory of 5064 2936 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe 84 PID 5064 wrote to memory of 116 5064 un641977.exe 86 PID 5064 wrote to memory of 116 5064 un641977.exe 86 PID 5064 wrote to memory of 116 5064 un641977.exe 86 PID 5064 wrote to memory of 4644 5064 un641977.exe 96 PID 5064 wrote to memory of 4644 5064 un641977.exe 96 PID 5064 wrote to memory of 4644 5064 un641977.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe"C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 10804⤵
- Program crash
PID:2812
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 116 -ip 1161⤵PID:4384
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
535KB
MD503e2d633dd8d3b9d7f1059e4e7ad27c8
SHA1a6edfc39536fc573d3bf0b0799f36eb523e3d347
SHA25664ef312fb4b36559480c2b789aa4f2461e2b01945972a0b624abacb67bba54b1
SHA512ae396667efae35b19f627406e02a1bab24ace858389adef4d5afab2112769859a3586fbf58dc8a5b3aeedaaae75d30e7e9dbaed05ef6e49e6390aee339b6359f
-
Filesize
259KB
MD5f9ab407f187f8e5cf997a132860334b1
SHA1f84ae1c6314d60f4fba8f47709cfa76ab01e5996
SHA256725df5d14ec61c974c129debae9910704b9199dc5ba1c0f70d5275807fca79f6
SHA5121a235d605133d8d12b978196cd1219fcf9209367f3d8af4eaeb01b2211a3c1ee2ce323739893b2882810ab3d8f1ba236282e2a14fa1021413a712ac07ae3ba26
-
Filesize
341KB
MD50b6a05a09e6f6c3c1fa480ad8d174aac
SHA191652bf99cbf223394d716b50184cd060c4bd866
SHA256c3bba445b3160f1aaf80b77a7ac3ec4f36a157eb697a66be8d7f6c544afd77a0
SHA512ac499bd04742c799a99645372b5a5b09b175c6c4284914074604b902ed5b3f57859921e34eb9b0b0f1f629a9240c41f95446ed6432c3da85e5d269a131ae8953