Analysis
-
max time kernel
139s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe
Resource
win10v2004-20241007-en
General
-
Target
758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe
-
Size
479KB
-
MD5
92f35a184864d794c21f6563cf89c024
-
SHA1
1657a6ede4e9bd80c79da934ae924d55e646dd5b
-
SHA256
758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e
-
SHA512
e6c4fbb3e03edaacf8f0838e87b301bcca6aa0f7451ac367e047d33332d12e44d1c2e37c76ed3920034dd4e73741c870b406a51512f6c26282612c4b0a431743
-
SSDEEP
12288:XMr9y900FrS6lQd+TeeQbmyzb+dZQzBzKOqfIqh1Ii8E1:CybFrS6lQdb1zadZQzcOqfznIi86
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1932-15-0x00000000021A0000-0x00000000021BA000-memory.dmp healer behavioral1/memory/1932-18-0x0000000002270000-0x0000000002288000-memory.dmp healer behavioral1/memory/1932-47-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-43-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-41-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-39-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-37-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-35-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-33-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-31-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-29-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-27-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-25-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-23-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-21-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-20-0x0000000002270000-0x0000000002282000-memory.dmp healer behavioral1/memory/1932-45-0x0000000002270000-0x0000000002282000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k7578256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k7578256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k7578256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k7578256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k7578256.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k7578256.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0031000000023b7f-54.dat family_redline behavioral1/memory/1620-56-0x0000000000810000-0x0000000000838000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2304 y0548186.exe 1932 k7578256.exe 1620 l1375229.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k7578256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k7578256.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0548186.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0548186.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k7578256.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l1375229.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1932 k7578256.exe 1932 k7578256.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1932 k7578256.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1100 wrote to memory of 2304 1100 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe 83 PID 1100 wrote to memory of 2304 1100 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe 83 PID 1100 wrote to memory of 2304 1100 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe 83 PID 2304 wrote to memory of 1932 2304 y0548186.exe 84 PID 2304 wrote to memory of 1932 2304 y0548186.exe 84 PID 2304 wrote to memory of 1932 2304 y0548186.exe 84 PID 2304 wrote to memory of 1620 2304 y0548186.exe 92 PID 2304 wrote to memory of 1620 2304 y0548186.exe 92 PID 2304 wrote to memory of 1620 2304 y0548186.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe"C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5f2135ae35446adb296e45b563e8ea95f
SHA16cfa21a42af381ed44c5885c16c095e57b6c6880
SHA2568a19314234a24bbd87e1eb351403ca5cd067f313383763f6a544ffebe6d81688
SHA512b227693e204d5f87bc1ce1680062ddc921a61116571a37b3a3cdc0b4ad9bf80046cb2e4ebbff1da32b69964715d23dbaf7d95265dc869252f78726b47e293dd0
-
Filesize
175KB
MD520e0ddd55ed3dc015658737d2eeaf494
SHA175d92d2a1bb6dc287b81d00a2aed0e41c058f906
SHA256a8a357cb1d84123cf0ccc1945f660cff594900dc7ea14489d392a0556633733a
SHA512e5e7f0c676c8598adb13da85b7879f51ff37bff9abc200accf5ad4d85851b728ff76c423ab459123064cbadf408b33b2d07845fa4ad7f6acde37b0bda96cb557
-
Filesize
136KB
MD5fb35c5c86da33ce45453cf6618bbfedb
SHA1c93d8cca5dab3402cfcf59c68c6befe101b8bf7f
SHA256bbc888b7381f3d04c73cf7f81c6c46bf30532ab13f2f2c2531774ac39624a8ac
SHA5124e09207eda58133ca53bd871e51a1d21496596613a9c8f7e6e9a63e913fedb96abc584a91cfdc28c78712dbe2235a83f884b1c26e6cc860be6d6508928c34852