Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe
Resource
win10v2004-20241007-en
General
-
Target
154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe
-
Size
751KB
-
MD5
fc667f854e3f9dde9e328f774d807dd0
-
SHA1
27de59665d537a93a860e1ef9816ee34ae380c7b
-
SHA256
154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821
-
SHA512
82a8a70fcd2c9fc18f196adad3c3cab4e3cf27a93b38ac801181227b3a76763335d71aed4385ab13a113faa50f16ab647d1270f433473f1da55439f696b151b7
-
SSDEEP
12288:Ty90W2+LX4fgG9jA40wAsoi+ShmJSlQ4bI5HyZKO8b5nVDc6Cq:TyZHLX4fd9jAJheQmQ4iCqVYQ
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3620-19-0x0000000002520000-0x000000000253A000-memory.dmp healer behavioral1/memory/3620-21-0x0000000002700000-0x0000000002718000-memory.dmp healer behavioral1/memory/3620-47-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-49-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-46-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-43-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-41-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-39-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-37-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-35-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-33-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-31-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-29-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-27-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-25-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-23-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/3620-22-0x0000000002700000-0x0000000002712000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr635263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr635263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr635263.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr635263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr635263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr635263.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1676-61-0x00000000027B0000-0x00000000027EC000-memory.dmp family_redline behavioral1/memory/1676-62-0x00000000053D0000-0x000000000540A000-memory.dmp family_redline behavioral1/memory/1676-66-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-96-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-95-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-90-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-88-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-84-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-82-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-81-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-79-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-76-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-75-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-72-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-71-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-68-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-92-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-86-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-64-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline behavioral1/memory/1676-63-0x00000000053D0000-0x0000000005405000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4960 un673414.exe 3620 pr635263.exe 1676 qu881501.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr635263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr635263.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un673414.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3640 3620 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un673414.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr635263.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu881501.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3620 pr635263.exe 3620 pr635263.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3620 pr635263.exe Token: SeDebugPrivilege 1676 qu881501.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1384 wrote to memory of 4960 1384 154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe 84 PID 1384 wrote to memory of 4960 1384 154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe 84 PID 1384 wrote to memory of 4960 1384 154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe 84 PID 4960 wrote to memory of 3620 4960 un673414.exe 86 PID 4960 wrote to memory of 3620 4960 un673414.exe 86 PID 4960 wrote to memory of 3620 4960 un673414.exe 86 PID 4960 wrote to memory of 1676 4960 un673414.exe 98 PID 4960 wrote to memory of 1676 4960 un673414.exe 98 PID 4960 wrote to memory of 1676 4960 un673414.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe"C:\Users\Admin\AppData\Local\Temp\154de8d6cbec2497a2def5dcd657555b845f0fb7b19406b825829822c35eb821N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un673414.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un673414.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr635263.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr635263.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 10844⤵
- Program crash
PID:3640
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu881501.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu881501.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3620 -ip 36201⤵PID:1736
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597KB
MD581b5ff71a25a244e9bbd421c516721dd
SHA19c4bf3342c2e5af273b8dd6d57055eea686fb7fd
SHA2568d2885de0f13d9d6bab8b605e1f9cf0e712174bf36c2f11d28c52250068acdc7
SHA512c33706bc9919a10dca8d176acad11b9b5c921eb2617c4ca537b5b04d913ec6f59e5fb184d9364596b560a1b5a755d9a9eb349b38476c5c8b10fa64740e9e9e9e
-
Filesize
391KB
MD5c62829380389b48987bb568eb51a7b52
SHA11b3eba3e53505d2d2bafe128d249c6a790db11ef
SHA2565b824fcc114699a2cfef0d00d9a4c7804e27d601d8d01d7b1c94fb2f8949120d
SHA51206c828ce2bd2c36be1688dd88b613412754c6b2a7534b9c438821f39d7adebd88d7d69f84fd38558b1d98cbcad7c08600c5fb204a96f7350b4ca770881a35204
-
Filesize
474KB
MD5e39f3680c8c6c74aca320b63fb95fb5e
SHA1156c6c97c8374e649987eb293b07148afe3f85e7
SHA256684d9219098504a1cf5471bc729c257635b55d68900ac13bf25b3d5a83048153
SHA512523ffbc69eac854be9c091aaac7c92a3a01fd42ac53f573c962551c2241a00c7314ae26100d4193d4c7c4fdb6f8623f83089ea65609b9cda374f3c911cbaace7