Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe
Resource
win10v2004-20241007-en
General
-
Target
19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe
-
Size
943KB
-
MD5
b58e9b97a201ade79b947f1536bcea30
-
SHA1
3e3908609dc67480803cbe4ffb8f563249f752da
-
SHA256
19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11e
-
SHA512
03f6ce080308dc505f44b49ea0c08ae557dc700423ca57dba26e13a500d74b888d8504a7603e5d6260f1fee852bdc42365a272d7c34be20cdd5f8916435fa887
-
SSDEEP
12288:my90kb0ebql9QLAYJWtq3bfvwwktQunTDlyPBxcBIGSSWNnH2yNd4xzeg4pm:myL05lsAb4bwr9JOiOYwbsK3pm
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4528-22-0x0000000004A40000-0x0000000004A5A000-memory.dmp healer behavioral1/memory/4528-24-0x0000000007150000-0x0000000007168000-memory.dmp healer behavioral1/memory/4528-32-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-51-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-48-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-46-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-44-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-42-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-41-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-38-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-36-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-34-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-30-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-28-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-26-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-52-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/4528-25-0x0000000007150000-0x0000000007162000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr154507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr154507.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr154507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr154507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr154507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr154507.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1720-60-0x00000000048C0000-0x00000000048FC000-memory.dmp family_redline behavioral1/memory/1720-61-0x0000000004A80000-0x0000000004ABA000-memory.dmp family_redline behavioral1/memory/1720-73-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-79-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-95-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-93-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-91-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-89-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-87-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-83-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-81-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-77-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-75-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-85-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-71-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-69-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-67-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-65-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-63-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline behavioral1/memory/1720-62-0x0000000004A80000-0x0000000004AB5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4048 un973437.exe 4904 un431809.exe 4528 pr154507.exe 1720 qu852783.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr154507.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr154507.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un973437.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un431809.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 836 4528 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu852783.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un973437.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un431809.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr154507.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4528 pr154507.exe 4528 pr154507.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4528 pr154507.exe Token: SeDebugPrivilege 1720 qu852783.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 696 wrote to memory of 4048 696 19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe 84 PID 696 wrote to memory of 4048 696 19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe 84 PID 696 wrote to memory of 4048 696 19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe 84 PID 4048 wrote to memory of 4904 4048 un973437.exe 85 PID 4048 wrote to memory of 4904 4048 un973437.exe 85 PID 4048 wrote to memory of 4904 4048 un973437.exe 85 PID 4904 wrote to memory of 4528 4904 un431809.exe 87 PID 4904 wrote to memory of 4528 4904 un431809.exe 87 PID 4904 wrote to memory of 4528 4904 un431809.exe 87 PID 4904 wrote to memory of 1720 4904 un431809.exe 97 PID 4904 wrote to memory of 1720 4904 un431809.exe 97 PID 4904 wrote to memory of 1720 4904 un431809.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe"C:\Users\Admin\AppData\Local\Temp\19f5a9b950d9469e4d3fdd4161f7632a192f5f6e2788584d5121f02d08f8f11eN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un973437.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un973437.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un431809.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un431809.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr154507.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr154507.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 10885⤵
- Program crash
PID:836
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu852783.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu852783.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4528 -ip 45281⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD5a0ec109d31615d5f18209430820a4e5d
SHA1843c86cc58e5d30e0a8cfc13ea4aae4a1d33aa91
SHA256f5ba3f881a468aad31ce0c92e99580c361a9b5cef5d8dd2e18ab2d874ff0baac
SHA5123299663e9d628e781ac983f3bda60057d93d4b64ed0c8575512fa1339d9dfb226695547eb15ba65133ba38e221edb8d654cbe2fb8eb7dc6345fb4da31f931a52
-
Filesize
541KB
MD51bcede2ba19571324e689424ade1f34f
SHA104993215d302428d6e3b38a0fa1c402e3ffa8e8f
SHA2566b6f92cee4aeb84d38c012eed7581e37c81c6283d6eb64f26e064eb4aba5d7e6
SHA51248656cdf5a466f73fdd688eff3351b651927253f039a6c173cfce518f87d22467eb17e901fdd0f6758c77c0ec282be38b0bad749b4e5be6866d24f80a71e93a5
-
Filesize
278KB
MD576e8b63eba1a82c0500d1f8d14888984
SHA1f72e020410d6921f7065de611b460b9c25e6ebc6
SHA256aa05a27af1215a7416aba804588a5868ec78d952c6b6a1742240f5b05d3c3fd9
SHA51202cdeac41ddfe5595185559ee8f47a415076be31e3d5d4af0ab1cb7ca5aeb520fd881c6971dcb6be6c920b4c942f4822660a0b5e7228a12c1a9aa8053c6b5b25
-
Filesize
361KB
MD57c55e8771c5c554bab3c2133046beada
SHA1d3357769f499aaa331ecde21745f50f825b9abbb
SHA256578358977036ac8bfeb7801de49d4092da964342c017c306634a641cf4b8db03
SHA5126a01731d94d4b7ebf8157f70f60cca34aa464f1fdf49131d79feb3742af512564edda4c4c1c37d6e38f0bddc2ade917107d741bd7874f74e1b7ee52c20e9cd4c