Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe
Resource
win10v2004-20241007-en
General
-
Target
15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe
-
Size
479KB
-
MD5
a9250a600e470a9144b3ff771535d50b
-
SHA1
8b8426eec34d5952e4e69b5423aeb3e773d974cd
-
SHA256
15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1
-
SHA512
1a1376b98e08c89c4fae0f1b522cbc8b0ae9e5257ab542c98311f0316959b502571439bd910dc29908a30e2cbdd6363a6c2fac8c6c81fc8a2d8fa3a89a6f6b83
-
SSDEEP
6144:KLy+bnr+/p0yN90QEcLdh+HepZo5XcV9q2fCEH3vtZcLMgbz5Q9trYflQN0rYfBx:VMrvy902Kb5FkHHft6L5DfC94+JmmZr
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3304-15-0x00000000007F0000-0x000000000080A000-memory.dmp healer behavioral1/memory/3304-18-0x0000000002540000-0x0000000002558000-memory.dmp healer behavioral1/memory/3304-48-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-46-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-44-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-42-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-40-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-38-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-36-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-34-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-32-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-30-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-28-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-26-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-24-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-22-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3304-21-0x0000000002540000-0x0000000002552000-memory.dmp healer -
Healer family
-
Processes:
a2495996.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2495996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2495996.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a2495996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2495996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2495996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2495996.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5805366.exe family_redline behavioral1/memory/4872-56-0x0000000000BC0000-0x0000000000BE8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
v2335925.exea2495996.exeb5805366.exepid process 2648 v2335925.exe 3304 a2495996.exe 4872 b5805366.exe -
Processes:
a2495996.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a2495996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a2495996.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exev2335925.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2335925.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exev2335925.exea2495996.exeb5805366.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2335925.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2495996.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5805366.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a2495996.exepid process 3304 a2495996.exe 3304 a2495996.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a2495996.exedescription pid process Token: SeDebugPrivilege 3304 a2495996.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exev2335925.exedescription pid process target process PID 3224 wrote to memory of 2648 3224 15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe v2335925.exe PID 3224 wrote to memory of 2648 3224 15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe v2335925.exe PID 3224 wrote to memory of 2648 3224 15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe v2335925.exe PID 2648 wrote to memory of 3304 2648 v2335925.exe a2495996.exe PID 2648 wrote to memory of 3304 2648 v2335925.exe a2495996.exe PID 2648 wrote to memory of 3304 2648 v2335925.exe a2495996.exe PID 2648 wrote to memory of 4872 2648 v2335925.exe b5805366.exe PID 2648 wrote to memory of 4872 2648 v2335925.exe b5805366.exe PID 2648 wrote to memory of 4872 2648 v2335925.exe b5805366.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe"C:\Users\Admin\AppData\Local\Temp\15f850587c7364b2ee094f055c265072512b151c1cb063f3169050b7065a31c1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2335925.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2335925.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2495996.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2495996.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5805366.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5805366.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4872
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD50b9b79d8373db7306266b13374b706c5
SHA114d1e41b82c93a921e216c6413dbca71078b7164
SHA256c001c20ba5bed00325bb65e896ff8784c78c5ac1dc09b3b080fe17f47c4ad377
SHA512bd672462d2491570b8abb11883b8f5490eb939af81f4f3cf247f4536c2365459f1cfd1d4493edc2131c918448bac4bbe720ff8f5df1da3ff2944c236d25941f3
-
Filesize
175KB
MD52b2de86a57d6dab19b7b575e69f39efb
SHA1bd9e3c6c382204d22facd339aca89e5bd7bfd348
SHA256215deac5cfe86c8cea76d13fc9f0785a3f127192f6ac5a3f3f79ec517abad17a
SHA512addb7f1950db35403508714a1e513d52975a477f0cb6415681d55a4e58be7827bba706e726241baf4ed0be9cdcbee5ec0b6ac3b5ce9cdb3656ac044455bd5b0c
-
Filesize
136KB
MD56146be88a32772f48ffe4a5793b7a512
SHA12045636edc721356e48de655e43159d10e1f5b63
SHA256b45ac7ef87f54f6058ba78eb3549502c9c3e6f103cd4d3bd6bd6fff715a25044
SHA512a1618ed4edd6d018418ee458e1ed915168902efa3375a372a9f77df24454a577f599fa20ca77cf8016450795a02a013b714692597ab191578c36a073d601e5b4