Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe
Resource
win10v2004-20241007-en
General
-
Target
b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe
-
Size
746KB
-
MD5
be3f21c5b92fe29d5cbd639d2d53c62a
-
SHA1
531dd08dd21014b55733d26f4ccfe4717b8b8482
-
SHA256
b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d
-
SHA512
088efdf067889583b5b97ac4da399eb51350292661d3f82e2ef783d7df2fd92c39b150c476a64338029273d2c82503cb83a9376fc803516a41c97c393a8a679a
-
SSDEEP
12288:Hy90Cor0JBuAkjE4vbv3roqPTgDLq0UfwBaXD6:HywQJBjkhvbv3cqP10UfwBy6
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2648-19-0x0000000000B80000-0x0000000000B9A000-memory.dmp healer behavioral1/memory/2648-21-0x00000000026C0000-0x00000000026D8000-memory.dmp healer behavioral1/memory/2648-23-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-49-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-47-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-46-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-43-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-41-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-40-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-37-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-35-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-33-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-31-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-25-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-22-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-29-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/2648-27-0x00000000026C0000-0x00000000026D2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 48608722.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 48608722.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 48608722.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 48608722.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 48608722.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 48608722.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4176-61-0x0000000002680000-0x00000000026BC000-memory.dmp family_redline behavioral1/memory/4176-62-0x0000000002990000-0x00000000029CA000-memory.dmp family_redline behavioral1/memory/4176-68-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-82-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-96-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-94-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-92-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-91-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-88-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-86-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-85-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-80-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-79-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-76-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-74-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-72-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-70-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-66-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-64-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/4176-63-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3100 un134238.exe 2648 48608722.exe 4176 rk964611.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 48608722.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 48608722.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un134238.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4548 2648 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un134238.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48608722.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk964611.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2648 48608722.exe 2648 48608722.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2648 48608722.exe Token: SeDebugPrivilege 4176 rk964611.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4296 wrote to memory of 3100 4296 b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe 85 PID 4296 wrote to memory of 3100 4296 b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe 85 PID 4296 wrote to memory of 3100 4296 b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe 85 PID 3100 wrote to memory of 2648 3100 un134238.exe 86 PID 3100 wrote to memory of 2648 3100 un134238.exe 86 PID 3100 wrote to memory of 2648 3100 un134238.exe 86 PID 3100 wrote to memory of 4176 3100 un134238.exe 95 PID 3100 wrote to memory of 4176 3100 un134238.exe 95 PID 3100 wrote to memory of 4176 3100 un134238.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe"C:\Users\Admin\AppData\Local\Temp\b7966ff9361f4f72114a0db06f8a553aa80d0ae5ccc0de6e166afeebce0be35d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un134238.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un134238.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48608722.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48608722.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 10884⤵
- Program crash
PID:4548
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk964611.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk964611.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2648 -ip 26481⤵PID:2928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD5550bff38f84718910767c619226cd3ef
SHA1bc6ca336c6aaccff9889bcb0d8404b72a593666e
SHA256c5959795e84dfa11cc0d1f1e6e7bfc7be7bc7392c49bbf01435bff5c4b372548
SHA512626cb6cf31fe976e1799072e3efc3e5e37e517d62c93969a560e0c37740f91b88736ddbf067320f1793b158d65a719674b72df69f56f460d5bc9e2141551ede8
-
Filesize
378KB
MD54e123489b79254a7bb909675f0542736
SHA1a5294a40a7409b53feb948108a472ad8631c94c9
SHA25654ce0a5c708db5c4782fcdeaed69d2dcc54ccbc2a5b39d6815423130ea844ee0
SHA512adc1395fa61c800b7f6c9f30316372d3a039cb8a78d994fd902048fa7cace2232e0ae6367327a6b2757ab924e75b2ba6a374daf7a4fee3d1e9e4da8cbe5dc36d
-
Filesize
460KB
MD58cd916a24464ebd3a8b027d0dcf176ce
SHA16bab7fb9aea0ca3fa28f921a558b2b5ba8fd3315
SHA2569e5e2fa580960bce98a9b2edfefd02dff1204c6eebb2f84b2e5428e20dd5f63c
SHA51240a7c732cba05c92b4e04ba8b5a68bbe36fc8601b20653b909e8fd7e60e3b177a74d74228aeb862917f6b9a3ef17d408ec27aab39813232ecc23b06781e22a2b