Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe
Resource
win10v2004-20241007-en
General
-
Target
8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe
-
Size
697KB
-
MD5
c486dc3a303c7638a417e380a5506757
-
SHA1
5bb6e53c6b4eb9353c4811e4e501342411e5fb4c
-
SHA256
8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d
-
SHA512
ca0d51c73ee303e7f49c685a698a5314b472b1bcb7751e45f49096c1da88c90c6fe0a20c9dd226843a1317d7cf987f4202c56a69ee9be5d897a2a70aeadf72e7
-
SSDEEP
12288:vy90k8/WIK+owxXOVTzoAiJkSeCLQRAwfhcJkMYf1BRjX0bBHgKoM2r8egj6hg1t:vy2t/laTyKQQ2uiJkFfzZqBAKoMA8egb
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3516-18-0x0000000004B30000-0x0000000004B4A000-memory.dmp healer behavioral1/memory/3516-20-0x0000000004BC0000-0x0000000004BD8000-memory.dmp healer behavioral1/memory/3516-48-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-46-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-44-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-42-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-40-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-38-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-36-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-34-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-32-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-30-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-28-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-26-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-24-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-22-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer behavioral1/memory/3516-21-0x0000000004BC0000-0x0000000004BD3000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 45214996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 45214996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 45214996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 45214996.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 45214996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 45214996.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1772-60-0x0000000007110000-0x000000000714C000-memory.dmp family_redline behavioral1/memory/1772-61-0x0000000007190000-0x00000000071CA000-memory.dmp family_redline behavioral1/memory/1772-69-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-75-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-95-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-91-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-89-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-87-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-85-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-83-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-81-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-79-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-77-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-73-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-71-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-67-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-65-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-93-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-63-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/1772-62-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4432 un280327.exe 3516 45214996.exe 1772 rk238545.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 45214996.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 45214996.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un280327.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4224 3516 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un280327.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45214996.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk238545.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3516 45214996.exe 3516 45214996.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3516 45214996.exe Token: SeDebugPrivilege 1772 rk238545.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2312 wrote to memory of 4432 2312 8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe 84 PID 2312 wrote to memory of 4432 2312 8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe 84 PID 2312 wrote to memory of 4432 2312 8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe 84 PID 4432 wrote to memory of 3516 4432 un280327.exe 86 PID 4432 wrote to memory of 3516 4432 un280327.exe 86 PID 4432 wrote to memory of 3516 4432 un280327.exe 86 PID 4432 wrote to memory of 1772 4432 un280327.exe 100 PID 4432 wrote to memory of 1772 4432 un280327.exe 100 PID 4432 wrote to memory of 1772 4432 un280327.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe"C:\Users\Admin\AppData\Local\Temp\8885276629989d6b4b07e7e70245e985fb27ceb0ba26c19c8892f036a094231d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un280327.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un280327.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\45214996.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\45214996.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 10804⤵
- Program crash
PID:4224
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk238545.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk238545.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3516 -ip 35161⤵PID:1676
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
543KB
MD5e01b45561b4b4053033b4d970df4e5df
SHA1bbe8e797259f0f6ca1173e2f63071bdc52dd9018
SHA2565ebd42cc3c241fa1efd946c33cb06384769697799c666249f2244265895e3086
SHA5122f3debe47c5f0d6feeb54c8fe00164c8e21d424e76946caf021c0ac185a3cf27f71e8fb8dd3458b0836a0184b7cb1498e6f334a6afb25f079a28ff0e28735f3d
-
Filesize
265KB
MD568a58d3114ef1315b56ffb8fe4d06cb3
SHA19afeee664c94ec38ee97338508a52071b748e2ad
SHA256ee460edb535b5b12ac30e522e8e0be3ad8c22fa423a17b0d92cfa63ced13e0ef
SHA512666fc6873379fb76c26f02b9931f2d9a4bb19e8c119de0bbfbb93a84ac38adf59dace133b35b08a5d2242b1a52165c8096235a896f89f5e2d6891049eea413f2
-
Filesize
347KB
MD5987dbb3372f5d6a53e1cad8c6cd7e3a1
SHA139b3a1165f77be4bcd429aac64e4efdbc9265c2f
SHA2569f335c3697e64329874384ffcbf334caf3e59b84c4d6447d93c4319064bedf2d
SHA5129115689722894afee50a3075044142a861d2939caabdb30f16f175d039438211529b2160717db1134e705b40013c2bc1f378886f7e1e74555294afe4e23ac6ac