Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:02
Static task
static1
Behavioral task
behavioral1
Sample
11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe
Resource
win10v2004-20241007-en
General
-
Target
11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe
-
Size
707KB
-
MD5
22aadc07afbbf4fdde103fc299302bfb
-
SHA1
ee1ad89828658d994dd5cf04651f2dc379994f9d
-
SHA256
11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15
-
SHA512
d52937d076d262c71c3e16cd9f0108a2233dce7718fcdc357049e3b2490737b9aa9120314ae1dc10f5e0d61626a835083b42c6319cc4f9342f97b99628040b8f
-
SSDEEP
12288:Wy902w3CCOFspn5YvF3YbQjxdcfqz1dJWjmu8V8TdnyvmqgZxA7klTUpqQq:WyqjOFspn5W3YbIbcfqxd0KueIyDEt9T
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3104-18-0x00000000047F0000-0x000000000480A000-memory.dmp healer behavioral1/memory/3104-20-0x0000000004BE0000-0x0000000004BF8000-memory.dmp healer behavioral1/memory/3104-42-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-48-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-46-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-44-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-40-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-38-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-36-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-34-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-32-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-30-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-28-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-26-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-24-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-22-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/3104-21-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 87138786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 87138786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 87138786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 87138786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 87138786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 87138786.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2908-60-0x0000000007150000-0x000000000718C000-memory.dmp family_redline behavioral1/memory/2908-61-0x00000000071D0000-0x000000000720A000-memory.dmp family_redline behavioral1/memory/2908-75-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-79-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-95-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-93-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-89-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-87-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-85-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-83-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-81-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-77-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-73-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-71-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-69-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-91-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-67-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-65-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-63-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2908-62-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4216 un069467.exe 3104 87138786.exe 2908 rk734429.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 87138786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 87138786.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un069467.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3800 3104 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un069467.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87138786.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk734429.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3104 87138786.exe 3104 87138786.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3104 87138786.exe Token: SeDebugPrivilege 2908 rk734429.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4212 wrote to memory of 4216 4212 11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe 83 PID 4212 wrote to memory of 4216 4212 11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe 83 PID 4212 wrote to memory of 4216 4212 11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe 83 PID 4216 wrote to memory of 3104 4216 un069467.exe 85 PID 4216 wrote to memory of 3104 4216 un069467.exe 85 PID 4216 wrote to memory of 3104 4216 un069467.exe 85 PID 4216 wrote to memory of 2908 4216 un069467.exe 96 PID 4216 wrote to memory of 2908 4216 un069467.exe 96 PID 4216 wrote to memory of 2908 4216 un069467.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe"C:\Users\Admin\AppData\Local\Temp\11757171d81d68b3fa7ae27b728226a72f5325d7832144d90bdbfeadcb13cc15.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069467.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069467.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\87138786.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\87138786.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 10804⤵
- Program crash
PID:3800
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk734429.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk734429.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3104 -ip 31041⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD5eb8af514fe2f381d7540224ca290aaa2
SHA1b06ce1f3edc7a85375ee4c00d6dad9a08243ce28
SHA256aa0fbf94d7155b86fe68f917db7c18f6505712d2a77bb7c3c35c3b953a4b8355
SHA512ae89c0537d94e9ef7711ce1c0f178e589240c331d61d32d379db2c6cab68160a609db68c586883608620a64155b4b33901c860a8ae1f15ec4e45ac695f3bc81d
-
Filesize
258KB
MD5e0f7f2e52eb077353a2144d56ccc8ae1
SHA174d918f3a0861824eb5a71f5e133dd715e9b5647
SHA2560df672ebb2e715c59f75c31b4ce58d21985d75d131323b4b895dba808144bfdf
SHA5127b685ca990ef86a77bb0fa7472be8cc305717a3924de6b9c7132c8d2cb22cfb62823eea97fe7c1e97b95e7a7657cab51d491a850c038e5b7eb7d5dd99bd4ceab
-
Filesize
353KB
MD5375690f9bcebb4a370c2f480f5fb8b82
SHA1afd2a1ac67d27d2555be642ca42cfdc8c078e864
SHA256c9f175a1316a845cd95b1857f07f6e91733bf301b47b5d10e5c20df1baa6dfa4
SHA51231ac9416a203b0aa1276f0e397e197922ee32d5b188e731cb86cb92199a4742eb50cbc6bd04e25a720504483f5f6e4fcfd486a6a24c364ca0acbf9421d3d988b