Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe
Resource
win10v2004-20241007-en
General
-
Target
1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe
-
Size
963KB
-
MD5
0e952d6d3346da7444a83a71a74f87ad
-
SHA1
b03f7de95749d80943837fe08e8fb03191912f52
-
SHA256
1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c
-
SHA512
49dcf39be324736e9e48ba1eac21934b2a6162b1b1c2e07ee9088bcc3ed5c013fe5ca7632e1d9da37d13c1a6c7ff197d0b08114899858685a8e160dfb2bf81d7
-
SSDEEP
24576:dynqU4VFmIxg1OhgTiX+i2kgfVtUmEpNQccgENWsKd5bW:4nqU4VFmIxZITi2kyUHQcKSbb
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1100-22-0x00000000048E0000-0x00000000048FA000-memory.dmp healer behavioral1/memory/1100-24-0x0000000004A30000-0x0000000004A48000-memory.dmp healer behavioral1/memory/1100-45-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-52-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-50-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-48-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-43-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-40-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-38-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-36-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-32-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-30-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-26-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-25-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-46-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-34-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1100-28-0x0000000004A30000-0x0000000004A42000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr363198.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr363198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr363198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr363198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr363198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr363198.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2264-60-0x0000000007130000-0x000000000716C000-memory.dmp family_redline behavioral1/memory/2264-61-0x00000000077A0000-0x00000000077DA000-memory.dmp family_redline behavioral1/memory/2264-67-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-73-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-71-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-69-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-93-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-79-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-75-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-65-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-63-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-62-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-95-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-91-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-89-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-87-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-85-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-83-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-81-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2264-77-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2076 un548526.exe 772 un715785.exe 1100 pr363198.exe 2264 qu552438.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr363198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr363198.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un548526.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un715785.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 916 1100 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un715785.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr363198.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu552438.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un548526.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1100 pr363198.exe 1100 pr363198.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1100 pr363198.exe Token: SeDebugPrivilege 2264 qu552438.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3648 wrote to memory of 2076 3648 1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe 83 PID 3648 wrote to memory of 2076 3648 1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe 83 PID 3648 wrote to memory of 2076 3648 1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe 83 PID 2076 wrote to memory of 772 2076 un548526.exe 85 PID 2076 wrote to memory of 772 2076 un548526.exe 85 PID 2076 wrote to memory of 772 2076 un548526.exe 85 PID 772 wrote to memory of 1100 772 un715785.exe 87 PID 772 wrote to memory of 1100 772 un715785.exe 87 PID 772 wrote to memory of 1100 772 un715785.exe 87 PID 772 wrote to memory of 2264 772 un715785.exe 97 PID 772 wrote to memory of 2264 772 un715785.exe 97 PID 772 wrote to memory of 2264 772 un715785.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe"C:\Users\Admin\AppData\Local\Temp\1e84a3c3de209ef62dbddb129f1a15a79646bb68d4c8aef9fc4525b0734e9a1c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un548526.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un548526.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un715785.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un715785.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr363198.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr363198.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 10845⤵
- Program crash
PID:916
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu552438.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu552438.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1100 -ip 11001⤵PID:1928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5f1386101ed671b369bf4f95f22aef186
SHA13e39a9ebeb4962407b8f2a87568ce71922ddbfe3
SHA256e734b97cb40076e963f6ed7cf3c5ccf3ba34b017d6fd2d4953da7ce666b7b9d2
SHA512137ef87e1f9aeb05d4baa54b46f6c033ea6b1103e793aa326e3b2fe9487039b942ec73691c5c445066e7b2d1c4d0df195e50c6cbe484747e0cc16372150cd3da
-
Filesize
550KB
MD51b672ec9363d65236b3b96c58c5fbdb6
SHA11daeb46c98ff2cfecc8fb77d7f7f14af3d5e9ca2
SHA2568825f9d1de0b164c32e93e08b0b3ee4df3eb5ca573c4f623a8c5e4f3c71be865
SHA5125dd0c5808758c48eccf124863302cfa467fd8b2186694615cbedd20f2b06aafcf5262661bd9f5bcc0cff1c8559206d28e925a56008781b80fabb992fbd35ca58
-
Filesize
299KB
MD522f71551bb6238656e724d952c95d558
SHA14e841eff75aec78aba5386a9511cbf51ba28fab8
SHA256807f263801d72754902cc706f3e2de206a5c19e7a038238ab1d9fcff2611cc44
SHA512b8bd083a03e6feaaec96049b7aa3932087914de007d3398e0b6b64ac54c9dc8f1fc55f96883711862d4ab19cc9d698ab29300d58490e96c57afa172a973bf842
-
Filesize
381KB
MD5ba3621ec5dd1be22315364289f22d773
SHA1f730dbbd39117f4d4b1f739ad0b9b0418cb47096
SHA2560dd139dd1fada436f35fdb49578ed82258c5f9344512fa6e6f5ddfcddcc3cb19
SHA512051dc91c7a6f4b40d8be983296e86891dd3ee8a5096f77d1994c5bbc8e29e7e5854309147d73534949d71362f8a12944226aa3ea2e76c2a9fd5499c6bee212ff