Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe
Resource
win10v2004-20241007-en
General
-
Target
d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe
-
Size
1.1MB
-
MD5
9b0231c2ac7793c8b0631d9f61df9c38
-
SHA1
fa153373de7c5e4db632e15e52c803d0f0b816de
-
SHA256
d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741
-
SHA512
038e2a982722edb1bd0d8d33e7a107d9058eacd8f059350dbe150de1c41f85dd3037a668bdae009e61b0dc0304a209e5675754d814cbc13bebe05026eb8c5885
-
SSDEEP
24576:5yvAQp/xkvGN7bYH0fAZ0ph4rFyfBi/vvjWjzFZNQZirjQ:svZ/Y+w056yCvvjWjzFYZ
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4784-23-0x0000000002560000-0x000000000257A000-memory.dmp healer behavioral1/memory/4784-25-0x0000000002930000-0x0000000002948000-memory.dmp healer behavioral1/memory/4784-26-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-35-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-53-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-51-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-49-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-47-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-45-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-44-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-39-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-37-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-34-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-41-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-31-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-29-0x0000000002930000-0x0000000002942000-memory.dmp healer behavioral1/memory/4784-27-0x0000000002930000-0x0000000002942000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr789810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr789810.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr789810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr789810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr789810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr789810.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2744-62-0x0000000002720000-0x000000000275C000-memory.dmp family_redline behavioral1/memory/2744-63-0x00000000053D0000-0x000000000540A000-memory.dmp family_redline behavioral1/memory/2744-65-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-71-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-97-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-95-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-93-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-91-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-89-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-87-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-85-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-83-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-81-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-79-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-77-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-75-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-73-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-69-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-67-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/2744-64-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 908 un220004.exe 3436 un146519.exe 4784 pr789810.exe 2744 qu786991.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr789810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr789810.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un146519.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un220004.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3044 4784 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un220004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un146519.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr789810.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu786991.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4784 pr789810.exe 4784 pr789810.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4784 pr789810.exe Token: SeDebugPrivilege 2744 qu786991.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1672 wrote to memory of 908 1672 d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe 83 PID 1672 wrote to memory of 908 1672 d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe 83 PID 1672 wrote to memory of 908 1672 d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe 83 PID 908 wrote to memory of 3436 908 un220004.exe 84 PID 908 wrote to memory of 3436 908 un220004.exe 84 PID 908 wrote to memory of 3436 908 un220004.exe 84 PID 3436 wrote to memory of 4784 3436 un146519.exe 85 PID 3436 wrote to memory of 4784 3436 un146519.exe 85 PID 3436 wrote to memory of 4784 3436 un146519.exe 85 PID 3436 wrote to memory of 2744 3436 un146519.exe 96 PID 3436 wrote to memory of 2744 3436 un146519.exe 96 PID 3436 wrote to memory of 2744 3436 un146519.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe"C:\Users\Admin\AppData\Local\Temp\d70d95d8d7c093420360473acd66734804bac2cb293c6cd44bfbf28b566d8741.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un220004.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un220004.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un146519.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un146519.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr789810.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr789810.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 10845⤵
- Program crash
PID:3044
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu786991.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu786991.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4784 -ip 47841⤵PID:4844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD5511411a595752d02e20dbec6abe3f9ac
SHA117df855b11d331bcd024b52063cd9c2f3703d2aa
SHA256d395aaf1047416141dd7a7f9418677d2e2f5e65ef2381e853fcc11aa292441d2
SHA512bef99ebec7d911cb41004740bdfc201f08dcbecde4b15f86d77222ada2a4f30f2a0c50e375252a3aa1e4c1083cabb526d6f9f44f000501bd091779f92a16f835
-
Filesize
610KB
MD5791e01a35ec1f192d5cc4349e3b0d538
SHA17a4b5707760e41071508556f5da2b78834b7da03
SHA2560be5e9a99e80dcc204d74ad862f3e1d824f3e24102a752b31159a172b992e5d8
SHA51257d69a3e32a2449a3aa50efe13c3f83a597e9d3b1e3010259de441d077671c1aa049e825af73a799b491cfd931c03d08a209dd905dc47020a0bccebc8e041a1b
-
Filesize
405KB
MD52d745439b8b6369645d97972f21a2a8e
SHA1c27ead179540d6fc376dcdecc0003bfe982b5ebe
SHA256331956cc68194fcc1c0f669267cf629383ff775bc9c7691ba0199e966336704c
SHA5124304080b97bdc6011167743d4f0846c2b6ea69e13b67cfff8cf9bd25414aa4dcaac44450857055a82bd007730556cda41f4ebe968c45416fde12f89182fe057a
-
Filesize
488KB
MD5b9911a6b36463e589a58133f666de0df
SHA1569656d43fb38cb5f7b850f03ef7dfab0383fc9c
SHA2560b8be1f8b0dae28c678bbe33b98593e8cb513cabe90ceedcfe572a9b26166846
SHA512b7bb50d4c71cf4d25d96998f01094c6ac5bee08145507c77d03968366946dbb186d4b7b86c043defdfd25d92b74576b428be1a70449d976c4842763c9a1c63c1