Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe
Resource
win10v2004-20241007-en
General
-
Target
113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe
-
Size
1.5MB
-
MD5
09339deecba900bf3bc4888bea1a262a
-
SHA1
9d6aa4b7abb8ee3d4fb2f6e13972d56a7854a3bd
-
SHA256
113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462
-
SHA512
da282a5d3a7ce2faba428fb4b15fc472e09e19ed16b6dd9fcb156f3145ab014dc9e36bc17a9f8c4fa860bbb0ca6d775a10a2ec4940eefccc3b64829c97a0a37c
-
SSDEEP
24576:dyJaPda0RCXzPWmi4Y5p/56N1VxMJ7a1AnrhdHf5tRaJyLgX8c7z3:4JafwXbWmC0IJ71r/Hf5eggX84
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2012-36-0x00000000025C0000-0x00000000025DA000-memory.dmp healer behavioral1/memory/2012-38-0x0000000005270000-0x0000000005288000-memory.dmp healer behavioral1/memory/2012-60-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-66-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-64-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-62-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-58-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-56-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-54-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-52-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-50-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-48-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-46-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-45-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-42-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-41-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2012-39-0x0000000005270000-0x0000000005282000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3992228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3992228.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a3992228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3992228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3992228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3992228.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b90-71.dat family_redline behavioral1/memory/384-73-0x0000000000670000-0x0000000000698000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 3944 v1330328.exe 2136 v2367841.exe 2084 v5881942.exe 592 v2100259.exe 2012 a3992228.exe 384 b7585554.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3992228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3992228.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v2100259.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1330328.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2367841.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v5881942.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4596 2012 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3992228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7585554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1330328.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2367841.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v5881942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2100259.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2012 a3992228.exe 2012 a3992228.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2012 a3992228.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3628 wrote to memory of 3944 3628 113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe 87 PID 3628 wrote to memory of 3944 3628 113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe 87 PID 3628 wrote to memory of 3944 3628 113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe 87 PID 3944 wrote to memory of 2136 3944 v1330328.exe 88 PID 3944 wrote to memory of 2136 3944 v1330328.exe 88 PID 3944 wrote to memory of 2136 3944 v1330328.exe 88 PID 2136 wrote to memory of 2084 2136 v2367841.exe 90 PID 2136 wrote to memory of 2084 2136 v2367841.exe 90 PID 2136 wrote to memory of 2084 2136 v2367841.exe 90 PID 2084 wrote to memory of 592 2084 v5881942.exe 91 PID 2084 wrote to memory of 592 2084 v5881942.exe 91 PID 2084 wrote to memory of 592 2084 v5881942.exe 91 PID 592 wrote to memory of 2012 592 v2100259.exe 92 PID 592 wrote to memory of 2012 592 v2100259.exe 92 PID 592 wrote to memory of 2012 592 v2100259.exe 92 PID 592 wrote to memory of 384 592 v2100259.exe 108 PID 592 wrote to memory of 384 592 v2100259.exe 108 PID 592 wrote to memory of 384 592 v2100259.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe"C:\Users\Admin\AppData\Local\Temp\113bcc9f97fd2df2cbe7ee37775e8995f57f2191d8612c78f2dcc9d821071462.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1330328.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1330328.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2367841.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2367841.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5881942.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5881942.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2100259.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2100259.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3992228.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3992228.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 10847⤵
- Program crash
PID:4596
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7585554.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7585554.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:384
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2012 -ip 20121⤵PID:4668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5d4d8f870ecf9e69e9c405b47fdcda268
SHA1faad9a2a1eb3f602a5e7bfee973d3db2a5ed476a
SHA25619846a7785d22579dcb18fec28223cedd3e2b46922767c04bed28d57117c220b
SHA512c232a4386b2cf5bb0bc741207eb50c38d4c2df93a3ef9d3f689c93be91d587cef85ece155d1562c53306410ae07712d99f98c557e0eb706c88c5d50cb30b70d1
-
Filesize
917KB
MD5627f3c39937e02cb4e048626961e627a
SHA19373be8fa486a68754a9e5b87d1e722f8c593648
SHA256b04d680e563273c7193e3729644e790424a42c6807026c3353eabce4f6a942f8
SHA51267b2b0054f2e4ebf094fed6c01e6b6b71851244c536b0ebee4cbc9ac25938236a6ba517c270a7f5cbe16ed1d78a7083297deb6e7cd671f58c3932d211bb1e02e
-
Filesize
713KB
MD595f688562a7042a4cf90e70bd93617db
SHA1ee113f41bffcd799d3c8f653366d4a64d6aeeb4e
SHA2561f1ee0c9db4dfac5a51f3ae9a3d80212c19f298ac6c1a3836fb4a628e05028fd
SHA512f52045a92264c0e4bdd11f3cec6e0257288d394e5c60c1698913efca88126b8936a1161e28340a235bfc7e44af9ddaa27bcd694cdf216c745afdfff3ec729cdd
-
Filesize
422KB
MD5cf6f3c91a4e075d6c1ffecca5466d842
SHA11eebca4db66d2eac1d4a3fe5f962e5c8edbcab99
SHA256a8e54971abd924cc51e5f16355571c26570a4b4aca496434ff1913fbe5e59e78
SHA5120c574168653d01d850e7aa7330998d0620f8939f7be217b750454d6b1b9f940ab7fba17984db8a0fd9d3c8a04370f7ef6c6a9c2561556a06e779427a472d4cf4
-
Filesize
371KB
MD5fbb118fce1aeb1efb4e4b56accf9e85e
SHA1f59f8ae13091a8bc0cfc1e30b394768dfe8e0933
SHA2568e4d45d1483489278182540d674958066eed946467b60c1754b3bf36d4f85a5a
SHA5121b3f69b9483f2491611bdcaf1013040dd963b872731a57faeba368be0804d5755d127d7b9c9ea0490774acc93688615b32dfb234af7d4fe393c41db57a8cbe0b
-
Filesize
136KB
MD5cd6d8fdd78333896419f34beafc742f6
SHA169228e04efbb4492a246dd6a2a4132523054e136
SHA2563bac2ead57563639f242521dd5e8b934cb68bf595a93086a0ad1978f68969651
SHA512ab8e21dd7f1cfb57288fddb064266d46b3c595e97a5568c993561ca9dc87113f5bdb2974b1d179522a0d57822d972cf2870db759ef241ed4dadcbf6a09525302