Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe
Resource
win10v2004-20241007-en
General
-
Target
7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe
-
Size
966KB
-
MD5
f4e3ddeb1f53782cd0b87c4a3969a654
-
SHA1
9928b68007ce01a7ef78ec279c019285d567ff3e
-
SHA256
7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327
-
SHA512
80a85394aef70ce3a085851695d4d5b51fe7afe575a1cdb30a04c0a7433dfe2b36d44f09d0255b324ffbf2ec802ed772b64d1896f0eb9d27714b926ad7737058
-
SSDEEP
24576:7yO54caQeS701leu6rO2czsenrA8TOtKx72:uO4lSyH6kzsOrA8641
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2304-22-0x0000000004BC0000-0x0000000004BDA000-memory.dmp healer behavioral1/memory/2304-24-0x0000000004D00000-0x0000000004D18000-memory.dmp healer behavioral1/memory/2304-52-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-50-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-49-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-47-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-44-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-42-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-40-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-38-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-36-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-35-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-32-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-30-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-28-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-26-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/2304-25-0x0000000004D00000-0x0000000004D12000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr863125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr863125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr863125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr863125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr863125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr863125.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4112-60-0x00000000049B0000-0x00000000049EC000-memory.dmp family_redline behavioral1/memory/4112-61-0x0000000007760000-0x000000000779A000-memory.dmp family_redline behavioral1/memory/4112-65-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-77-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-95-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-93-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-92-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-89-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-87-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-85-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-83-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-81-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-80-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-75-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-73-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-71-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-69-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-67-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-63-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4112-62-0x0000000007760000-0x0000000007795000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3004 un838803.exe 2740 un147864.exe 2304 pr863125.exe 4112 qu860555.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr863125.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr863125.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un838803.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un147864.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4848 2304 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu860555.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un838803.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un147864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr863125.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2304 pr863125.exe 2304 pr863125.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2304 pr863125.exe Token: SeDebugPrivilege 4112 qu860555.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3004 5004 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe 83 PID 5004 wrote to memory of 3004 5004 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe 83 PID 5004 wrote to memory of 3004 5004 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe 83 PID 3004 wrote to memory of 2740 3004 un838803.exe 84 PID 3004 wrote to memory of 2740 3004 un838803.exe 84 PID 3004 wrote to memory of 2740 3004 un838803.exe 84 PID 2740 wrote to memory of 2304 2740 un147864.exe 85 PID 2740 wrote to memory of 2304 2740 un147864.exe 85 PID 2740 wrote to memory of 2304 2740 un147864.exe 85 PID 2740 wrote to memory of 4112 2740 un147864.exe 100 PID 2740 wrote to memory of 4112 2740 un147864.exe 100 PID 2740 wrote to memory of 4112 2740 un147864.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe"C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10805⤵
- Program crash
PID:4848
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2304 -ip 23041⤵PID:3916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5b0d99d9b7affd14772ae17187b083f87
SHA11efbc3cd84d1750b5277ee27d0ff09e5b2d1a676
SHA256fba0e2f0650b317f0c34bb69a77f104a045fefc7d813d1566918ee42ac83cca6
SHA51220539aa98fea60d12e169803a63c2f40f79bf7ff06edb4e79fb174c7abfa87767300ae5a3fb8982f5c8a07f863ef6187e815b6722d713322f75a8ebfaa50d500
-
Filesize
552KB
MD52afd353f1c65f3ef24f9f53ca1c31bd8
SHA1e71abc0fc3f263edf60170184e67c1c7e9a792d4
SHA2563b35378c348fd70cae4463a0e86ff98b4201593dcc4e6e517f4e39b991d18413
SHA512f18ef1da522ac606f57be275b1c48d9dbef72fe9a64eb633967d5ddacabd6c49b6ad5ae9eec08fbd274850f969f39aea196e92d5addcb5542c7a2e358d591abd
-
Filesize
299KB
MD5e689c35ff590bdc0f623384c59e6ac2d
SHA1b3153ed1584105b60984616a3ccd81433413b936
SHA256e4908ec29b1e70e744e6c1bb0f03d4c7e13fdd6f362f76ec511ec560fb1e06ab
SHA51279bfadfcdf57fb7c639f836172e20aa6e3e788f837868f694243d71dd75dc5429df98a9b515450ffd110122fe45892961be77c399f9a4d15409e7f3a75850a9f
-
Filesize
382KB
MD52edd4af48745235506dae16413ba52ab
SHA11412594f6a94337a1217a99652d8338e65551ce5
SHA256830e75db80b45010ee40db46938f64f8fde0105bb44ba8e094c44333674e8207
SHA5128f53a41572d6b3a2d503f58db127abbae2949ad80983fcc0833f6bb1ddfc9f44d79fdea3e18977014b1e20b685dd30fd495b581d2e56174ae9949cf73563f7bd