Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe
Resource
win10v2004-20241007-en
General
-
Target
171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe
-
Size
690KB
-
MD5
839f23455822663d3b70ee552ade783a
-
SHA1
33fb270e1d19d6340c0580eb8c7bf72e9424c3a5
-
SHA256
171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61
-
SHA512
122360170217c3d0ac68df455bc86307c6f15f3e8dae53518d8584c7a231e623fce46b0d4914aac9170c4fcf81b8f0855c1c256671cd47457e853eba4c0dc85b
-
SSDEEP
12288:gy90XI15ZEaoFCFmcM0hDXL7BoOSFKt8OmkAWlp/rjk0feV2/mkWGvVkwl:gyF15Xme1XLNQi8Omk1jj1Q2/Zjxl
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2336-19-0x0000000002260000-0x000000000227A000-memory.dmp healer behavioral1/memory/2336-21-0x00000000022D0000-0x00000000022E8000-memory.dmp healer behavioral1/memory/2336-47-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-27-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-49-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-45-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-43-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-41-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-40-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-37-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-35-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-33-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-31-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-29-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-25-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-23-0x00000000022D0000-0x00000000022E3000-memory.dmp healer behavioral1/memory/2336-22-0x00000000022D0000-0x00000000022E3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 61762759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 61762759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 61762759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 61762759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 61762759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 61762759.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/5024-60-0x0000000002500000-0x000000000253C000-memory.dmp family_redline behavioral1/memory/5024-61-0x0000000004A80000-0x0000000004ABA000-memory.dmp family_redline behavioral1/memory/5024-72-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-90-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-93-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-91-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-87-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-85-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-83-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-81-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-79-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-77-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-75-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-73-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-95-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-69-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-67-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-65-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-63-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/5024-62-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4736 un933378.exe 2336 61762759.exe 5024 rk061445.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 61762759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 61762759.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un933378.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4240 2336 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61762759.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk061445.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un933378.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2336 61762759.exe 2336 61762759.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2336 61762759.exe Token: SeDebugPrivilege 5024 rk061445.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4912 wrote to memory of 4736 4912 171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe 83 PID 4912 wrote to memory of 4736 4912 171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe 83 PID 4912 wrote to memory of 4736 4912 171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe 83 PID 4736 wrote to memory of 2336 4736 un933378.exe 84 PID 4736 wrote to memory of 2336 4736 un933378.exe 84 PID 4736 wrote to memory of 2336 4736 un933378.exe 84 PID 4736 wrote to memory of 5024 4736 un933378.exe 96 PID 4736 wrote to memory of 5024 4736 un933378.exe 96 PID 4736 wrote to memory of 5024 4736 un933378.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe"C:\Users\Admin\AppData\Local\Temp\171e135d9e6cf21e8324f48b476c3b2d0d1e2c598d36d622381e088674cf5f61.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un933378.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un933378.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61762759.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61762759.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 10804⤵
- Program crash
PID:4240
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk061445.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk061445.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2336 -ip 23361⤵PID:552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD5c8013c1272b6af8e39fea625f282447b
SHA1c1e483c4ec502feacc360a7311b5c19c790eafbb
SHA25653c6c09328301927eb83ddbb36ab7a202fc816d4026de248dde6dfb62684e4e1
SHA512793fb8730924c6300daf76acebbefc90bc13632c923c85244fdf32d9117009d2006db0e225d25958e3be21e2378d7a30eb1259859c31b28e15bcf7aa7df504c4
-
Filesize
259KB
MD52d931ae2edddefc5a6196c5a7676e96a
SHA1bc11272b2d64341b430e695f56579cfd6cca11b3
SHA256e472fc30098cc8b8c9ec12dfa7628147dbea384ce45cd6b260c8a287113cb8e7
SHA512e9ccd5480125dc5c916683869984401d7ae65007a6e1763dfdcd8e6da02fbc9b8064eb85cc87abbba28344d22d3680ab865de41dd10301ba3903827eb220d626
-
Filesize
341KB
MD55fbb034af5234de5c6c531ab4733c994
SHA179aee06a8e04fc0bfcee06d8b7bc0d4b390eb480
SHA2567e761cf897fc10405bf32de865f74d4d03702c00200152bb175eaa385a6055c4
SHA512ddb9b37efa8805691148410ecde21353f0c06421644c5f12c6429fb792d91aa740fac1145f6231252e0a0584ed87011af14fba1bfc64fd8c4230e2af8a8f1713