Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe
Resource
win10v2004-20241007-en
General
-
Target
1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe
-
Size
966KB
-
MD5
cc3c43f6e8a28c1fd4afce578bed9e3e
-
SHA1
8669e49b13216db9a505855ee2b137d6b9915ab5
-
SHA256
1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e
-
SHA512
ae9f3415d444cd1c3adbdc4fd128a63604ac624d099e4e155f864fe500ba941742620b02717464e2a484b87d2f1b4bc6c8b6a34c37307690d9c58d4ee82e1a44
-
SSDEEP
24576:iyQgBbEfQvUIx3JE1VhNrtTc/W3GC7+w8wbi:JFEfQq1vN6/nC7+0
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1216-22-0x0000000004850000-0x000000000486A000-memory.dmp healer behavioral1/memory/1216-24-0x0000000007150000-0x0000000007168000-memory.dmp healer behavioral1/memory/1216-40-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-28-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-52-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-50-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-48-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-46-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-44-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-42-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-39-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-36-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-34-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-32-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-30-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-26-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1216-25-0x0000000007150000-0x0000000007162000-memory.dmp healer -
Healer family
-
Processes:
pr696125.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr696125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr696125.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr696125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr696125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr696125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr696125.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1208-60-0x0000000007000000-0x000000000703C000-memory.dmp family_redline behavioral1/memory/1208-61-0x0000000007790000-0x00000000077CA000-memory.dmp family_redline behavioral1/memory/1208-67-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-75-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-73-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-71-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-69-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-81-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-65-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-63-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-62-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-95-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-93-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-91-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-89-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-87-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-85-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-83-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-79-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1208-77-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
un142277.exeun682737.exepr696125.exequ772365.exepid process 4544 un142277.exe 1332 un682737.exe 1216 pr696125.exe 1208 qu772365.exe -
Processes:
pr696125.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr696125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr696125.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exeun142277.exeun682737.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un142277.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un682737.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2100 1216 WerFault.exe pr696125.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exeun142277.exeun682737.exepr696125.exequ772365.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un142277.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un682737.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr696125.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu772365.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr696125.exepid process 1216 pr696125.exe 1216 pr696125.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr696125.exequ772365.exedescription pid process Token: SeDebugPrivilege 1216 pr696125.exe Token: SeDebugPrivilege 1208 qu772365.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exeun142277.exeun682737.exedescription pid process target process PID 2864 wrote to memory of 4544 2864 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe un142277.exe PID 2864 wrote to memory of 4544 2864 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe un142277.exe PID 2864 wrote to memory of 4544 2864 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe un142277.exe PID 4544 wrote to memory of 1332 4544 un142277.exe un682737.exe PID 4544 wrote to memory of 1332 4544 un142277.exe un682737.exe PID 4544 wrote to memory of 1332 4544 un142277.exe un682737.exe PID 1332 wrote to memory of 1216 1332 un682737.exe pr696125.exe PID 1332 wrote to memory of 1216 1332 un682737.exe pr696125.exe PID 1332 wrote to memory of 1216 1332 un682737.exe pr696125.exe PID 1332 wrote to memory of 1208 1332 un682737.exe qu772365.exe PID 1332 wrote to memory of 1208 1332 un682737.exe qu772365.exe PID 1332 wrote to memory of 1208 1332 un682737.exe qu772365.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe"C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 10645⤵
- Program crash
PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1216 -ip 12161⤵PID:4352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5164846ad2082c35af8d719dd1b49a0e6
SHA12e07a33bb23505f317e720ec2877e241ad2748b7
SHA2565aa2f76898818c41e2db06456ecdd98322ece486a09c561fd1b8359b8823bba6
SHA5123c3782ac79becd17226dfcfcc4fa509f3e9e4c78185f9a6b2635df4cd3787fcd52a9c2b2614f19be55430775a062df8709e95849a8f4ba52a7b8129535fb35b3
-
Filesize
552KB
MD56d5a9bd0db0c9d2720a71009f3416bbc
SHA1394ad5bb5ad2422c08e5c39c60bf50ef5b9a2232
SHA256b37c1d3dff5b305a0a43273f45b1e2ff37512c8297cbbc84b338276c38ec23e2
SHA5124e1ee70b56e03385075aaa15b4190e3457c09bd1dca6c3dc3bcd95a6561d093b9bf18dc158a60944f8e7708ff7a8d7a35e6aee868d9545c8341429aa466fde62
-
Filesize
299KB
MD5846591f285e04961098c5c11d20000fd
SHA11c8ca3a10e0be63a99620837dc7bf6b348354acf
SHA25614a279e5b91a0c811af64e46e81a3567a47ad71ef2f925bc9f70abd70941d2bd
SHA512c60cfd228e06159128430b39ba573f044acf9cb874ff4b48bef2471db617034249e0a4fa3b26af74e3f55987c61c5e02b37b39074bb311f6380d76bbd14c33cf
-
Filesize
382KB
MD591bbf73b496bf7085e86264edcbbdeb5
SHA1934b2ca9f84d68572adff3c11f42c624d78acdf2
SHA256c2542b1ed0adf34994a9aefa49cb848f916c462b911f3331383141e3bf61cd65
SHA5128f6549f1eb575512677d96ac5f2656d5bbbcfb6f5d7073ffe86ba06b66a9dd25c77e351146f7936b5454e043400dd7c0ebf38df6986ab0f1e8f61dae74eef163