Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:45

General

  • Target

    60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe

  • Size

    691KB

  • MD5

    7c3275409a3c421c4c64c84557d0369e

  • SHA1

    040731069fd061021fd8b3a0cb0531eed1824492

  • SHA256

    60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39

  • SHA512

    0e12ae1e1c7c8a3bd040ab215d6a4129898b8a356981a68e808bed17ad101c821bba6fcc5a1295d2b89a2fde2282542b633f062ea309b578268d24a47da0ab80

  • SSDEEP

    12288:Dy90PWUJi5+BLKRv4AdCYcmrIlzyesue2Q7wVgANBZSSr4b5PKq:DyQWZyk4XtJyxt2iANeSkb5Pd

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 20 IoCs
  • Redline family
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe
    "C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1112
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1080
          4⤵
          • Program crash
          PID:3304
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5064
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2160
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1112 -ip 1112
    1⤵
      PID:2412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe

      Filesize

      136KB

      MD5

      e1c805d3cefe221689da30b8a2d944f2

      SHA1

      a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

      SHA256

      32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

      SHA512

      7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe

      Filesize

      537KB

      MD5

      923dd840d11ad83a7b8a0aa0ec580bd9

      SHA1

      998c072ba8715c67129b0d4c2e47402b316778ab

      SHA256

      2ee4de028dbab8107c78417ed2820c7938a19b036a4ac19ffe323b4bf121f8f2

      SHA512

      487e6e25cc437077e42f3c138f216d5956e8d26152d03bda268f6afe606be64585dd39f45dbbd117ad3a6aeb027466a77b1203b9d2291a5c8c3e1e99c6f62a15

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe

      Filesize

      259KB

      MD5

      e316c2de777d55b98eb76fa4b278de7f

      SHA1

      11cac13b2850abeef8d1d359f24fb7865173f6dd

      SHA256

      bc3e53579b9cde6683fa8d45c6e62e53c6c337e9f0f44ff7808ab58474060c17

      SHA512

      ef9c8ea766877b8ae7413d17d565a6a43af6f641fe8e344a0036cd8eb0ac060a3a98c7ce7aa21ffdd7242b4b44d187ab64e966d7af4e50db58bc64d21d6e4104

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

      Filesize

      342KB

      MD5

      bf70b37bcbd0f719e03a982c6c588d77

      SHA1

      32a932047845ebe2a8a2b22d48dc2af192a18d91

      SHA256

      17ed923cb1e879ec89be82253dbfda9a6d14d4f1272706bd340f589df2874279

      SHA512

      27e03eabf35e3c507fb943b4953e1919c386ef986683d81e650a0dda5185907eb032e1acb3fa493f8e768b36439ddf61e2cfea76979d001c4986a609f588e0bd

    • memory/1112-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/1112-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/1112-19-0x0000000002330000-0x000000000234A000-memory.dmp

      Filesize

      104KB

    • memory/1112-20-0x00000000049A0000-0x0000000004F44000-memory.dmp

      Filesize

      5.6MB

    • memory/1112-21-0x0000000004FB0000-0x0000000004FC8000-memory.dmp

      Filesize

      96KB

    • memory/1112-22-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-49-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-47-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-46-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-44-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-41-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-40-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-37-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-35-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-33-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-31-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-29-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-27-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-25-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-23-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

      Filesize

      76KB

    • memory/1112-50-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB

    • memory/1112-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/1112-54-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/1112-17-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/1112-15-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB

    • memory/1112-18-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/1496-71-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-89-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-60-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/1496-70-0x0000000004A50000-0x0000000004A8A000-memory.dmp

      Filesize

      232KB

    • memory/1496-62-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/1496-64-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/1496-72-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-100-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-98-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-96-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-95-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-92-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-90-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-68-0x00000000021F0000-0x000000000222C000-memory.dmp

      Filesize

      240KB

    • memory/1496-86-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-84-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-82-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-80-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-78-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-76-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/1496-74-0x0000000004A50000-0x0000000004A85000-memory.dmp

      Filesize

      212KB

    • memory/2160-713-0x0000000007C30000-0x0000000007C6C000-memory.dmp

      Filesize

      240KB

    • memory/2160-282-0x0000000008160000-0x0000000008778000-memory.dmp

      Filesize

      6.1MB

    • memory/2160-465-0x0000000007D00000-0x0000000007E0A000-memory.dmp

      Filesize

      1.0MB

    • memory/2160-69-0x0000000000E70000-0x0000000000E98000-memory.dmp

      Filesize

      160KB

    • memory/2160-464-0x0000000007BD0000-0x0000000007BE2000-memory.dmp

      Filesize

      72KB

    • memory/2160-867-0x0000000005070000-0x00000000050BC000-memory.dmp

      Filesize

      304KB