Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe
Resource
win10v2004-20241007-en
General
-
Target
5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe
-
Size
697KB
-
MD5
f55a3fa9acf8bed1603edd2fab97607a
-
SHA1
6f28157e4ed375748b929030c0d940c3692a1364
-
SHA256
5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2
-
SHA512
458cda6fd00b22407a2acc7f0076d78adb04bed838573eb2a066ca216e19bf0d27bc0b72eb2b67b36c160a52337fc0231f20e2fcf70f2c6a7a0f303be4c2cbdb
-
SSDEEP
12288:2y90xw6ree0bBwwoepZzcf7/YWGsBKuuYrEcYHRXIbZ/bC:2ykw6rUu/epZz2hzluYQlI12
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2448-18-0x0000000004980000-0x000000000499A000-memory.dmp healer behavioral1/memory/2448-20-0x0000000004B70000-0x0000000004B88000-memory.dmp healer behavioral1/memory/2448-21-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-30-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-48-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-46-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-44-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-42-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-40-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-38-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-36-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-34-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-33-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-28-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-26-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-24-0x0000000004B70000-0x0000000004B82000-memory.dmp healer behavioral1/memory/2448-22-0x0000000004B70000-0x0000000004B82000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr078591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr078591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr078591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr078591.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr078591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr078591.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4456-60-0x0000000004B20000-0x0000000004B5C000-memory.dmp family_redline behavioral1/memory/4456-61-0x0000000007770000-0x00000000077AA000-memory.dmp family_redline behavioral1/memory/4456-69-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-67-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-65-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-63-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-62-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-85-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-93-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-91-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-89-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-87-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-83-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-81-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-79-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-77-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-75-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-73-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-71-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline behavioral1/memory/4456-95-0x0000000007770000-0x00000000077A5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4468 un198918.exe 2448 pr078591.exe 4456 qu182670.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr078591.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr078591.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un198918.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 448 2448 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu182670.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un198918.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr078591.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2448 pr078591.exe 2448 pr078591.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2448 pr078591.exe Token: SeDebugPrivilege 4456 qu182670.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2032 wrote to memory of 4468 2032 5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe 85 PID 2032 wrote to memory of 4468 2032 5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe 85 PID 2032 wrote to memory of 4468 2032 5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe 85 PID 4468 wrote to memory of 2448 4468 un198918.exe 86 PID 4468 wrote to memory of 2448 4468 un198918.exe 86 PID 4468 wrote to memory of 2448 4468 un198918.exe 86 PID 4468 wrote to memory of 4456 4468 un198918.exe 100 PID 4468 wrote to memory of 4456 4468 un198918.exe 100 PID 4468 wrote to memory of 4456 4468 un198918.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe"C:\Users\Admin\AppData\Local\Temp\5fa5006b4d36987f15131319ca4b068f1b2a6918f778217b08d4b6455efcd4b2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un198918.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un198918.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr078591.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr078591.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 10164⤵
- Program crash
PID:448
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu182670.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu182670.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2448 -ip 24481⤵PID:3984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
543KB
MD570bc969e2ebe3b5a082b8f34ed2c408f
SHA102e13379128a8fe137260139c3b8399b2fea8e3e
SHA2566d2009494cd0a200c0bca178526c951cf0c5bcc7e6ef19f334bd54c17dc4e83a
SHA51202e86697718f965a0bea491e71a8e7babc89851c97d727de0115e9930a8caf021548833ae1d9ad44c52e257319708eedd2730c5cf220e760dfffcb259e9a7010
-
Filesize
269KB
MD51146165176a2afdcac096e9572fe2d2e
SHA1b19b77ca33ebbab91ca5dd0b6dd7dbf2498a0c63
SHA2561e9acfb9b4e82f49c21ef39b49916fbd93ce5e8facee06001c3f5014ec3ffe4f
SHA512b185d03218934637d047c42bd79940fcefe8a5e43e2ba536cdb2f8698a27a0ac5e67ba1d135ad7bdc4e328db2a8b588869b2b5f8a199f751b68f333d800326d8
-
Filesize
351KB
MD5bb17923414faecfd9209772fb4bbf269
SHA1807536585f295462e1efe0882ef8cfda381583df
SHA25685804f0144ec2732192e181f1ca3980f32c1fd30391715b1179187f992750821
SHA512f8709dc4a0607f438d088b5330a87851cb4cc5fe8e43a2de3de3dc85f0296ef4ba4bf0ac6e902eb97dad8286910f0720a4c4ab91bd822726669175d88d160bfc