Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe
Resource
win10v2004-20241007-en
General
-
Target
ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe
-
Size
691KB
-
MD5
b6b4f9f09b68f0df7e7d31c106c32969
-
SHA1
9b5c24d3212f06662b88ea896831983617627ac8
-
SHA256
ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4
-
SHA512
37be77362613a63841970d21b2d9a289a7ba48feb290da22e37103d1c927404c43ecd7cbd502a665cbb9dc9667d8d45dbf3e380e88d7d4cf84824825d9084ef1
-
SSDEEP
12288:+y90PlkEOx0VMjxvS5KD8mYoxfJ3+hMyxX100Cl2BmQZpB34eAk:+yilc6VSAkD8md+x7E2BdZE3k
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/5028-19-0x0000000002510000-0x000000000252A000-memory.dmp healer behavioral1/memory/5028-21-0x00000000026A0000-0x00000000026B8000-memory.dmp healer behavioral1/memory/5028-49-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-47-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-45-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-43-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-41-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-39-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-37-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-35-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-33-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-31-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-29-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-27-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-25-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-23-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/5028-22-0x00000000026A0000-0x00000000026B3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 41475546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 41475546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 41475546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 41475546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 41475546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 41475546.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/1624-61-0x0000000002390000-0x00000000023CC000-memory.dmp family_redline behavioral1/memory/1624-62-0x0000000002580000-0x00000000025BA000-memory.dmp family_redline behavioral1/memory/1624-80-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-64-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-63-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-96-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-94-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-92-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-90-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-88-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-86-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-84-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-82-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-81-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-78-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-76-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-74-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-72-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-70-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-68-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline behavioral1/memory/1624-66-0x0000000002580000-0x00000000025B5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2208 un514742.exe 5028 41475546.exe 1624 rk828633.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 41475546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 41475546.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un514742.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3996 5028 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un514742.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41475546.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk828633.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5028 41475546.exe 5028 41475546.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5028 41475546.exe Token: SeDebugPrivilege 1624 rk828633.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1180 wrote to memory of 2208 1180 ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe 83 PID 1180 wrote to memory of 2208 1180 ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe 83 PID 1180 wrote to memory of 2208 1180 ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe 83 PID 2208 wrote to memory of 5028 2208 un514742.exe 84 PID 2208 wrote to memory of 5028 2208 un514742.exe 84 PID 2208 wrote to memory of 5028 2208 un514742.exe 84 PID 2208 wrote to memory of 1624 2208 un514742.exe 96 PID 2208 wrote to memory of 1624 2208 un514742.exe 96 PID 2208 wrote to memory of 1624 2208 un514742.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe"C:\Users\Admin\AppData\Local\Temp\ba1c229880e34f853aac41c65f740a273dc9ba7dc30dd50d123c102264f290f4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un514742.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un514742.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41475546.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41475546.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 10804⤵
- Program crash
PID:3996
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk828633.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk828633.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5028 -ip 50281⤵PID:756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD52ad2f00c586bbd68f3cb5b1be50f240b
SHA1f05d425e2205d4ad081246d5913f3e2f422f7e5a
SHA2560f41f771aad05f7c5e1e1a94fbd477093a7e1e47a07c3a1939631c17907465ef
SHA512cd335fb6dcadb038428434c8d5ba6a563f934a7bb5c855aa39a694fecb03c9c8b843ffdaa6369c34cf6c23c6544315c344d89a0be6321c63d5e01572621e5b9f
-
Filesize
259KB
MD58793a439e44aeb69c5f99c361fd237e3
SHA1f0d8d1acb7ca5a9f2a3e2106587421135684ce06
SHA256aef1e937247a86c4c1ef1c04c93eb20d379691b27dfc108f91fefc6274db8f5c
SHA5126f46ce842ebac34897326344d9fcdd1a2fa10879541c45bd858887a78f4428a1eba22568121900d095385905e7fbd5c95b671e6435af2d198a238da5a111cf22
-
Filesize
341KB
MD57996d40f5620eaba582f79133aaefd9c
SHA14a5fbdc087b3d9de41998db5ed593f643ca4aeea
SHA256440b6c67c9830f66ff2fbb756f83607c6f6d812c809f75f385f6459da36e1d2e
SHA512457f5f919f2eb7ae25ebca2c279166d2109ce67e6e34c1cd79ba033de942945e4e6659538ff8e13d26b8281e6643403d560513e89901556ee42fffc4721a77fd