Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe
Resource
win10v2004-20241007-en
General
-
Target
6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe
-
Size
747KB
-
MD5
d12d732d2f792bcd3a8f0b71d8371d70
-
SHA1
51127b1f01d435941ec962b5b2723fdf5669bc10
-
SHA256
6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619
-
SHA512
0b3338b2de1fb479c0ab2e7b822f2368d0242d157303e2483ec49e001b7e2b611cfc086bc76d66fb209e21507a786dffec6864a41f311c5d2775514459ced623
-
SSDEEP
12288:jy90OXJihefJnTBTi3oMEuXD0UghLdEJd6nDRa6OlQ43NPgbFCXxmyqO:jyPTTBqoMEWD0phOJkDYR5NPCix9
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4056-19-0x0000000000AD0000-0x0000000000AEA000-memory.dmp healer behavioral1/memory/4056-21-0x0000000002690000-0x00000000026A8000-memory.dmp healer behavioral1/memory/4056-45-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-47-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-43-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-41-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-39-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-37-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-35-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-33-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-31-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-49-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-29-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-27-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-25-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-23-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/4056-22-0x0000000002690000-0x00000000026A2000-memory.dmp healer -
Healer family
-
Processes:
33226964.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 33226964.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 33226964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 33226964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 33226964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 33226964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 33226964.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1764-61-0x00000000025D0000-0x000000000260C000-memory.dmp family_redline behavioral1/memory/1764-62-0x00000000053F0000-0x000000000542A000-memory.dmp family_redline behavioral1/memory/1764-68-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-76-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-96-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-94-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-92-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-90-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-88-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-84-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-82-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-81-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-74-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-72-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-70-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-86-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-78-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-66-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-64-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1764-63-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un989412.exe33226964.exerk999253.exepid process 2012 un989412.exe 4056 33226964.exe 1764 rk999253.exe -
Processes:
33226964.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 33226964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 33226964.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exeun989412.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un989412.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2552 4056 WerFault.exe 33226964.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
33226964.exerk999253.exe6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exeun989412.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33226964.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk999253.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un989412.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
33226964.exepid process 4056 33226964.exe 4056 33226964.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
33226964.exerk999253.exedescription pid process Token: SeDebugPrivilege 4056 33226964.exe Token: SeDebugPrivilege 1764 rk999253.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exeun989412.exedescription pid process target process PID 2592 wrote to memory of 2012 2592 6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe un989412.exe PID 2592 wrote to memory of 2012 2592 6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe un989412.exe PID 2592 wrote to memory of 2012 2592 6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe un989412.exe PID 2012 wrote to memory of 4056 2012 un989412.exe 33226964.exe PID 2012 wrote to memory of 4056 2012 un989412.exe 33226964.exe PID 2012 wrote to memory of 4056 2012 un989412.exe 33226964.exe PID 2012 wrote to memory of 1764 2012 un989412.exe rk999253.exe PID 2012 wrote to memory of 1764 2012 un989412.exe rk999253.exe PID 2012 wrote to memory of 1764 2012 un989412.exe rk999253.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe"C:\Users\Admin\AppData\Local\Temp\6ebf9d9e3649871c4ae2541134bf1d61c40be5108fb64b595ca735a0e5a54619N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un989412.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un989412.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\33226964.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\33226964.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 10804⤵
- Program crash
PID:2552
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk999253.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk999253.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4056 -ip 40561⤵PID:972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD597b96a866640b16db4b65993ebe09f62
SHA193048dbaffea3e94fa8a1b0bc3708ed246cfa2a4
SHA256ba199dfc045d227a2fa1359c526cd2ec4b249369f073b980e84e3e78b0045a1e
SHA512e637f9a76f875e037544ba9c683afa1e7011aeb0b15713372d2014db01cc0784c63e1dce47889415739133d7e5e6f4b27babdccb57df0cf24ab25d86ed096ff1
-
Filesize
377KB
MD5434612c69358d162011f6b8cd9984f09
SHA153871bec34652ad3c6fb3210efe8856c8cb9c3a7
SHA2562d42eec532a668dd444169fda32fded6e19f5b897e62a20c412a010e0bdfbda5
SHA5121b97160334fa87e12dec284b2cc32516192972bcedeaeeb9028634a4e01e2a77b5afe6e8163a95c6232346dacdded1ec2ac5194ee0c08fe5cb1b3083bf45b7a1
-
Filesize
459KB
MD5b30253e88d952c252eccbf9fc3de02bf
SHA17cd35d00df5cdb33117975cce0accee10d766f9b
SHA2566baf71e7b56a23fccb1b4138c473f53b46df39c6d07996f5df3cec4a092feeba
SHA5121e31816dce7bdc105f7a73c6634359583d94c8152d784495823071ccfb66a646471458028a57afe0a6e28e66444a2e348c7904ed743f34667d9d798c7423648b