Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe
Resource
win10v2004-20241007-en
General
-
Target
38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe
-
Size
1.0MB
-
MD5
5b7d6ada26f489ce960f68dfb7ea18ac
-
SHA1
5c994563ea95af4574afc0cad8c2dbf92c9b5475
-
SHA256
38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4
-
SHA512
63e2e8e308d9710785df33b3c6672b28d99941077e32885fa815cb73bd8de35921f0fd5cdcc9aee5a659c2c8cdc68af62659c7a58e1e5df4e308d786062a739f
-
SSDEEP
24576:lyY7soFIaX0+zm1Vhv9LSudK72BQ+kS1mNNb6:AzoHXTy1PXZB3mb
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3380-23-0x0000000002670000-0x000000000268A000-memory.dmp healer behavioral1/memory/3380-25-0x0000000004DC0000-0x0000000004DD8000-memory.dmp healer behavioral1/memory/3380-53-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-51-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-49-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-47-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-45-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-43-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-41-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-39-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-37-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-35-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-33-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-31-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-29-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-27-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer behavioral1/memory/3380-26-0x0000000004DC0000-0x0000000004DD2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr326821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr326821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr326821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr326821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr326821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr326821.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/896-62-0x00000000026A0000-0x00000000026DC000-memory.dmp family_redline behavioral1/memory/896-63-0x00000000028A0000-0x00000000028DA000-memory.dmp family_redline behavioral1/memory/896-81-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-79-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-97-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-95-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-93-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-91-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-89-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-87-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-85-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-83-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-77-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-76-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-73-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-71-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-70-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-67-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-65-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/896-64-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4108 un554942.exe 4700 un778518.exe 3380 pr326821.exe 896 qu566720.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr326821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr326821.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un554942.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un778518.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3416 3380 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr326821.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu566720.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un554942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un778518.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3380 pr326821.exe 3380 pr326821.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3380 pr326821.exe Token: SeDebugPrivilege 896 qu566720.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1744 wrote to memory of 4108 1744 38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe 83 PID 1744 wrote to memory of 4108 1744 38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe 83 PID 1744 wrote to memory of 4108 1744 38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe 83 PID 4108 wrote to memory of 4700 4108 un554942.exe 85 PID 4108 wrote to memory of 4700 4108 un554942.exe 85 PID 4108 wrote to memory of 4700 4108 un554942.exe 85 PID 4700 wrote to memory of 3380 4700 un778518.exe 87 PID 4700 wrote to memory of 3380 4700 un778518.exe 87 PID 4700 wrote to memory of 3380 4700 un778518.exe 87 PID 4700 wrote to memory of 896 4700 un778518.exe 99 PID 4700 wrote to memory of 896 4700 un778518.exe 99 PID 4700 wrote to memory of 896 4700 un778518.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe"C:\Users\Admin\AppData\Local\Temp\38ae930110977257e88de1a479cf65e5476f3304c9cc6c76b1628552fa4b42e4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un554942.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un554942.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un778518.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un778518.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326821.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326821.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 10045⤵
- Program crash
PID:3416
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu566720.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu566720.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3380 -ip 33801⤵PID:5068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
749KB
MD5d28c4f7bbc788b2f8effd7fbddeef15d
SHA151f5eb8149a88595ba6e084a3574aa3f6a1f5b11
SHA2564cee053d392c59907fe76f6d0277391b28e324f17c89a4b55503834267163305
SHA512517c4804cd35087c4ff1cece07a81d08ceda3d9f816d8df262f9f96376bc1d848c93174d2c4236c3d397556e7355653e972d5a3109466404b50372f4a4761c01
-
Filesize
595KB
MD58759039391035df30da8cd75c305307c
SHA1044a830f05c4adcf0ce86bf33b03246e957e1cee
SHA256e1ed41ad27d925a5887a8bb6cc80959d8767427e1dc41eab2f9cff8794fb3338
SHA512e447de0c1c6e755f57230cfa1dcf88ac0952bc9a71bf1fa3b048b290690253644ec1ad621db9dc20950b831a116dcba83fd4a3506e50451230a508ff108cd372
-
Filesize
389KB
MD52bb7e9da9631080e359431a567565675
SHA160077774f847ccdfcc46a485e118fc4325421b1c
SHA25668e8ee5a423ae783688360bf7a76198452ce34d2c8a826017466594c821f8da6
SHA512b0ae4dadeb0e1cfffaf2193e4947b7cfc525a6f3ebd53f7e31f8b05021c9add71f7c3443eb306735c3ea51e051e47a9dab0fd5005a21717c8bea1f66fa26609b
-
Filesize
472KB
MD5288d4bd9e3a8f1eae58b998b5bda3504
SHA12bb4cc60b52a76dcce3f00b18f473b72c52fdf81
SHA256eb99ac830671d660762ee01292487ea7d24e2e84bd95c0e90c2c2e23b16fb72c
SHA5120d6dd85946c8d3feff0eaae4fcd3035367c3b5931d2412cd086a2398e529284e6ee5d190a74d162c879102bd6d677f902cc8976da1597026500709b97a3b1941