Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe
Resource
win10v2004-20241007-en
General
-
Target
ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe
-
Size
1.5MB
-
MD5
2e942f6cc58995657cc8c46e7a26e106
-
SHA1
f0ef3ee90fc16151867875b46e88e1fede473615
-
SHA256
ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8
-
SHA512
56263e1a09d2967ce72910ad3d1c7f00aa287be8374165ea3806f49effc1ff0d5d72805525acf87cf6631f39738de1c206a98d5a986dc8093249a5363667adcd
-
SSDEEP
24576:XyazzDvgvFZH/H0PG96rx/MyFOfLKocF0Ee1zdllBsrzunR/5vp6dhcLZ:iaPDvWjf8VbEfhEe1z/3Qzk/5vpwcL
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1404-36-0x00000000024D0000-0x00000000024EA000-memory.dmp healer behavioral1/memory/1404-38-0x0000000002780000-0x0000000002798000-memory.dmp healer behavioral1/memory/1404-48-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-66-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-64-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-62-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-61-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-58-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-56-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-54-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-52-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-50-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-46-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-44-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-42-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-40-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1404-39-0x0000000002780000-0x0000000002792000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5961201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5961201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5961201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5961201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5961201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5961201.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c8c-71.dat family_redline behavioral1/memory/3640-73-0x00000000006D0000-0x00000000006F8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 3924 v0298957.exe 3752 v0991080.exe 4188 v6827553.exe 2388 v0163979.exe 1404 a5961201.exe 3640 b4206979.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5961201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5961201.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6827553.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v0163979.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0298957.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0991080.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1616 1404 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4206979.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0298957.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0991080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v6827553.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0163979.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5961201.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1404 a5961201.exe 1404 a5961201.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1404 a5961201.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2964 wrote to memory of 3924 2964 ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe 85 PID 2964 wrote to memory of 3924 2964 ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe 85 PID 2964 wrote to memory of 3924 2964 ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe 85 PID 3924 wrote to memory of 3752 3924 v0298957.exe 87 PID 3924 wrote to memory of 3752 3924 v0298957.exe 87 PID 3924 wrote to memory of 3752 3924 v0298957.exe 87 PID 3752 wrote to memory of 4188 3752 v0991080.exe 88 PID 3752 wrote to memory of 4188 3752 v0991080.exe 88 PID 3752 wrote to memory of 4188 3752 v0991080.exe 88 PID 4188 wrote to memory of 2388 4188 v6827553.exe 89 PID 4188 wrote to memory of 2388 4188 v6827553.exe 89 PID 4188 wrote to memory of 2388 4188 v6827553.exe 89 PID 2388 wrote to memory of 1404 2388 v0163979.exe 90 PID 2388 wrote to memory of 1404 2388 v0163979.exe 90 PID 2388 wrote to memory of 1404 2388 v0163979.exe 90 PID 2388 wrote to memory of 3640 2388 v0163979.exe 98 PID 2388 wrote to memory of 3640 2388 v0163979.exe 98 PID 2388 wrote to memory of 3640 2388 v0163979.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe"C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 10807⤵
- Program crash
PID:1616
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3640
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1404 -ip 14041⤵PID:4392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5c5b9e4833b83471eb13cfb2d38bd19e9
SHA1852e1302285b2c9ed108eb4463083ee084b7e64e
SHA256b96f6dcdc7becc043cc7d11196cff92475c275835803ec743db5790507680b95
SHA51270586407ceef2d631309b61d542f40c17438d5e893bf6d51cad507210d0983050114df459c8b8689471be7c75270079b277ad7d27456f0eb419a8e79ed0b42cc
-
Filesize
911KB
MD527afa2d783ac422b0f4ecf5328fd3d25
SHA1aca524a69f3d554b7818d2307e287fa0b75c7770
SHA25685b04b6e984397b29e6876b6f457928faef9bc542057f5be85eea19616823419
SHA51200d2c9db205c90e89ff42894ff1922823a01c191b86f2f6d0295809259b19d7b56d39a0c3c7ea193d3555aeabe7150c6bf70306d552e81bd7d24129919470498
-
Filesize
707KB
MD5949fdb52ba681b128271693003332ae6
SHA119b442f2141e588709ad417e64c3736e43f5075a
SHA256e9a947baa4bce2b22ca9deafb3cc6aef66c984d5c39a0b7900c7598356cb445a
SHA5120f537ac37e5370138b9b85675bada19ad10679cfbf56e1e2dc63ff62b4f2270a08a60dd371b21707d68d2d4e8b45241c2b71693b5ffbcc9efd7f1ac0d2346d75
-
Filesize
416KB
MD5317cb3a6e32a5d75f5f668776ede82c5
SHA1efd29a6e93859dff257ca0a300cac5f0563fb12c
SHA25671d12500798d38119139d1677de7ebf12fce1ccd7cf9d0f4d72fc833da55be68
SHA512430f21559344b233110cac76d4b4d8ac4a14f371ea26dcf70c7709a158a5eda1feea799be7ca06c85585f34634c09f8018d5203d12e30d50f6844a60c54cb013
-
Filesize
360KB
MD5a1aad20f88335977d3f603dd7a864191
SHA1abd7aae69b0b77afad699495730a343c2182bfad
SHA256ff9bbc88c94b796a9947c25b7c3c64f662bfc1d20de943482e7418400d03d459
SHA51293779f75def6a262d774f7ca51fbd505eb5e258c69b8ee0cbebadfdb12ec9dbb597969529d69e22d1ec4733181980ecabdaa5d7f4a9d4e6b3d2fe55821511379
-
Filesize
136KB
MD59b06d0e1fdaa5398aad108c6e68fdbb9
SHA18e5d0b1b3faa675a238b2c44157e9ebf74489c93
SHA2567ca183bb42b19bd975df32550834e168fda08c51a4554ffb003d1975c45eeab7
SHA5124313359f663f627d93db4955aee0fb2bae68771418a2b7ce2015ce1dc75e8d450354012c8a1bd547344dcc49bbabbd08293fb8a6c2d3ff5539be121e57e4bc59