Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe
Resource
win10v2004-20241007-en
General
-
Target
21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe
-
Size
965KB
-
MD5
dcb0cba6e3be026819f06652b0b58ef1
-
SHA1
f2e7335dbe80b6e2b87bbf3eb1897957cb49482f
-
SHA256
21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4
-
SHA512
7cdd2f49436926823f89a63b755947f0cd0c7dfab9f25df3536c0b6fd36074a8a8142ec641e395a56e8d5b9006e33db79f9e0238d708f6b248d7f9017747769d
-
SSDEEP
24576:4yFExCSdehRvhWC23LvEtiUIXi0R4aGSI:/FEIDgn3LMtiUgGXS
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/428-22-0x00000000048A0000-0x00000000048BA000-memory.dmp healer behavioral1/memory/428-24-0x0000000004E00000-0x0000000004E18000-memory.dmp healer behavioral1/memory/428-25-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-52-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-50-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-46-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-44-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-42-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-40-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-39-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-36-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-34-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-32-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-30-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-29-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-26-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/428-48-0x0000000004E00000-0x0000000004E12000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr428109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr428109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr428109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr428109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr428109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr428109.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4604-60-0x0000000007120000-0x000000000715C000-memory.dmp family_redline behavioral1/memory/4604-61-0x0000000007760000-0x000000000779A000-memory.dmp family_redline behavioral1/memory/4604-71-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-83-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-95-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-91-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-89-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-87-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-85-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-81-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-79-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-77-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-75-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-73-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-69-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-67-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-93-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-65-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-63-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/4604-62-0x0000000007760000-0x0000000007795000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 1040 un590995.exe 5088 un835502.exe 428 pr428109.exe 4604 qu505244.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr428109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr428109.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un590995.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un835502.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4956 428 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un590995.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un835502.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr428109.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu505244.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 428 pr428109.exe 428 pr428109.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 428 pr428109.exe Token: SeDebugPrivilege 4604 qu505244.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5044 wrote to memory of 1040 5044 21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe 83 PID 5044 wrote to memory of 1040 5044 21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe 83 PID 5044 wrote to memory of 1040 5044 21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe 83 PID 1040 wrote to memory of 5088 1040 un590995.exe 84 PID 1040 wrote to memory of 5088 1040 un590995.exe 84 PID 1040 wrote to memory of 5088 1040 un590995.exe 84 PID 5088 wrote to memory of 428 5088 un835502.exe 85 PID 5088 wrote to memory of 428 5088 un835502.exe 85 PID 5088 wrote to memory of 428 5088 un835502.exe 85 PID 5088 wrote to memory of 4604 5088 un835502.exe 99 PID 5088 wrote to memory of 4604 5088 un835502.exe 99 PID 5088 wrote to memory of 4604 5088 un835502.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe"C:\Users\Admin\AppData\Local\Temp\21afe0c3c050f685a2cc2f3bd89685b229eefc58b41f3fcc404a40bd12e416d4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590995.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590995.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un835502.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un835502.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr428109.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr428109.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 10805⤵
- Program crash
PID:4956
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu505244.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu505244.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 428 -ip 4281⤵PID:3144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD525955c01064bbc34759fd0ac31688426
SHA1629464255359155085cc5eebf0f4f341269e5923
SHA2568b7d267d1d921cfa704164b6bd81e682aaff3253c761eca45f65c574e4bc53db
SHA512f17b5a97aa8d1b2361d7465831779e82c8418f71ea69ca155663241ab2848465923a008d722a5acf0d47a45aa2514b4b0d9911efcf483b0be3572a667fa57269
-
Filesize
552KB
MD52e8026bc71e4fc56c71e8be77c1907c0
SHA14ca043cf5e4891c9528d50bc0276819d216775eb
SHA256b758b1dff7183e4824d0c092e4ca6abc99b754712dd38951516a524453e9df51
SHA512219645d6d766fe0d1d6ab0a1171fed7fc372a40813e1f7204aefb2a027439ba6323fe7d488208d10318d0a28d6a869158cef821070b58bd559bdcd22c638aac1
-
Filesize
299KB
MD5ee9f6b9d26cdeb84465dd858cb09829a
SHA10355d24f32f6d6eb299edcbe5c6284493e206a40
SHA256397c30933fb13c7f035623f8e0f9f83df10638cdf90c7a14dbb47a838ea40870
SHA512103b67c3a2025107cbcc8746d64ea0a264333058c5b00c82618e1f4a03d1dc21a7792f40c28f0e2e834e8869cf981d512bb8f01f2def4a92b92d46f8fe24018e
-
Filesize
381KB
MD5d573897fe91e51c611047ef1a5bf7c7c
SHA1197e6d6036ecc8a4d9453a085c977df40fb4e329
SHA256db685574cbb1191c3141fe59e1d4c737d36e58fcc08a992ed2628f10afa063da
SHA512c7d38fb3697e537719061ac6fc438b04c5ea99e6afa5280cfe5f962d5f0ead508baf401f1d72c874efd8654fd269ad39d7ef738ec38f43a2a7b4ed8d9e9c7981