Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe
Resource
win10v2004-20241007-en
General
-
Target
9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe
-
Size
642KB
-
MD5
71c5c17e2b3996d9665bb891394dc61e
-
SHA1
5c98136407fbde573108290f8dea533f48f012fe
-
SHA256
9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee
-
SHA512
84210685237d4e75a3f954ae69c022e20d9f5dac4207031781a6eb60b26e25e033ab3072d2d772dba1f184afc825489ab2b35526cd142727825afd86ae8850ec
-
SSDEEP
12288:3y90hssoBqe2VblPMYlktR1ATNn+k6wvioLEzyOKRYzigAq:3yk2kHbBlG1Ap4oLsygLAq
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3880-15-0x00000000021A0000-0x00000000021BA000-memory.dmp healer behavioral1/memory/3880-18-0x00000000023A0000-0x00000000023B8000-memory.dmp healer behavioral1/memory/3880-27-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-33-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-47-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-45-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-43-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-41-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-39-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-37-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-35-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-31-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-29-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-25-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-23-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-21-0x00000000023A0000-0x00000000023B3000-memory.dmp healer behavioral1/memory/3880-20-0x00000000023A0000-0x00000000023B3000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 61786627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 61786627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 61786627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 61786627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 61786627.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 61786627.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/1820-57-0x00000000049E0000-0x0000000004A1C000-memory.dmp family_redline behavioral1/memory/1820-58-0x0000000007190000-0x00000000071CA000-memory.dmp family_redline behavioral1/memory/1820-66-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-70-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-68-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-88-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-74-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-64-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-62-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-60-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-59-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-94-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-92-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-90-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-86-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-84-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-82-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-80-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-78-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-76-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1820-72-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4648 st517171.exe 3880 61786627.exe 1820 kp127099.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 61786627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 61786627.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st517171.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 228 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st517171.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61786627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp127099.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3880 61786627.exe 3880 61786627.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3880 61786627.exe Token: SeDebugPrivilege 1820 kp127099.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2912 wrote to memory of 4648 2912 9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe 83 PID 2912 wrote to memory of 4648 2912 9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe 83 PID 2912 wrote to memory of 4648 2912 9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe 83 PID 4648 wrote to memory of 3880 4648 st517171.exe 84 PID 4648 wrote to memory of 3880 4648 st517171.exe 84 PID 4648 wrote to memory of 3880 4648 st517171.exe 84 PID 4648 wrote to memory of 1820 4648 st517171.exe 92 PID 4648 wrote to memory of 1820 4648 st517171.exe 92 PID 4648 wrote to memory of 1820 4648 st517171.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe"C:\Users\Admin\AppData\Local\Temp\9fde087367c2d8d1e42603bf60066eb7a7989f85f9a109bd3503bb81b1d2b0ee.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st517171.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st517171.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61786627.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61786627.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp127099.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp127099.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:228
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5559ade812b4be58df5d5134c3efefbd3
SHA1c5521ecc4d46b80e7aa3ecfa7aac9b272d5f98f1
SHA2561c1bfb42c443a1a989ce5c44cf4121d30e579f1e8d517f0d8fe03bfc45aba7a5
SHA5123f30e1cbeeaa46b8930dde9e064f0380069c1dbed186929c3db5bdf4c9c93f2f138d2987d4dd03d1fbba93a408ee2a6f1cbc9d2753c7e4f175fe9e1ee77a12dd
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
340KB
MD53b995ebf43941b8e36e7d510c45d1e93
SHA10547f65441345cff047c718a99147aed621b4c5a
SHA256b1714d9518edccd93625584dc847533d4be21bfb5f364c380477a87a9885c188
SHA5127916870e964a58f3db7ccbe2cbbb86cb0816a61ba25955c549094dd2f7d961d407c0d358d53ca5a0615273e5cee8d3aca2781350100170d911167fecb77d3b47