Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe
Resource
win10v2004-20241007-en
General
-
Target
7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe
-
Size
1.0MB
-
MD5
6959d8eddde13b5ebd5614dccdd52157
-
SHA1
e0a7d9566283dae5ab66e3b0a2c61601c8af7646
-
SHA256
7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405
-
SHA512
e02e6b1609c65d23988db4d8f1ac770da7eea260c024b90e1b86d8387574ecc7b5b6c8eb543d0f664f1f30368f4de60200d2a47e474249a9ea63a526a9167d75
-
SSDEEP
24576:Jy240CzeczKkccWUoyDwVKDCOHVbuy3Jc1RlZlu5uU:82PCajBcg5oDC9+m7lZlH
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/396-23-0x00000000028F0000-0x000000000290A000-memory.dmp healer behavioral1/memory/396-25-0x0000000004ED0000-0x0000000004EE8000-memory.dmp healer behavioral1/memory/396-27-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-53-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-51-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-49-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-47-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-45-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-43-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-41-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-39-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-38-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-35-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-33-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-31-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-29-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer behavioral1/memory/396-26-0x0000000004ED0000-0x0000000004EE2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr287777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr287777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr287777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr287777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr287777.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr287777.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3636-62-0x00000000026B0000-0x00000000026EC000-memory.dmp family_redline behavioral1/memory/3636-63-0x00000000029A0000-0x00000000029DA000-memory.dmp family_redline behavioral1/memory/3636-65-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-79-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-97-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-95-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-93-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-91-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-89-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-87-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-85-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-83-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-81-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-77-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-75-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-73-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-71-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-69-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-67-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3636-64-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4904 un538496.exe 452 un341353.exe 396 pr287777.exe 3636 qu812676.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr287777.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr287777.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un538496.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un341353.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1064 396 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un341353.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr287777.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu812676.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un538496.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 396 pr287777.exe 396 pr287777.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 396 pr287777.exe Token: SeDebugPrivilege 3636 qu812676.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3016 wrote to memory of 4904 3016 7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe 85 PID 3016 wrote to memory of 4904 3016 7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe 85 PID 3016 wrote to memory of 4904 3016 7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe 85 PID 4904 wrote to memory of 452 4904 un538496.exe 86 PID 4904 wrote to memory of 452 4904 un538496.exe 86 PID 4904 wrote to memory of 452 4904 un538496.exe 86 PID 452 wrote to memory of 396 452 un341353.exe 88 PID 452 wrote to memory of 396 452 un341353.exe 88 PID 452 wrote to memory of 396 452 un341353.exe 88 PID 452 wrote to memory of 3636 452 un341353.exe 96 PID 452 wrote to memory of 3636 452 un341353.exe 96 PID 452 wrote to memory of 3636 452 un341353.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe"C:\Users\Admin\AppData\Local\Temp\7558bea70c3f10655819b8910119316eac6e21e23ff1314a898ac6965d5bb405.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538496.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538496.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un341353.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un341353.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr287777.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr287777.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 10845⤵
- Program crash
PID:1064
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu812676.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu812676.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 396 -ip 3961⤵PID:1096
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD5e9fcd6776f42b2f2d961e8631081fe0c
SHA1d91dd71c1f0802b10e777502b44fd2ac1524893e
SHA2569e1879144fd6f84fc3051ddd5e58ed87b97f847ba656872fb4ecd97ac0475a87
SHA5127f80ff3249c64621435a8c7b84a533622529dc3cf8a4bd254f08e128dee0ba4ea4bbc3ea604e08ff9bd1e3e84a3b6be8c3c359d81ddeb3bd49e7f7617ac2a094
-
Filesize
596KB
MD5230249a4e08888833b70e8329d4c39b8
SHA1d112a823db1b7a478458daeb90968ed461201a76
SHA25686344b83c7b9b5ff97bbc8fa22880e2d9c7565e880f94d6e5c7dec2a59786491
SHA512af868a3022f534cf4818a1f09ad4bc3f138a3cf8781502cc8f89d060a650386d8a903db8ef6c7e5d2bb9a41199aece679e6ab2bdbbc28edceaf404040544db8e
-
Filesize
391KB
MD5b212b93cb14d0972b5007a1ff3cf395a
SHA16eca779773ec6ada8c68e5c2bdc971997465f889
SHA2567f5272472eca09beaf713533113316ed0e1ddf1a296e7aeb3b7aef2dcf1aa659
SHA512707026c67345d9692e0bd5d52b4532e601c994d740923482e473a2124d5d88bbda7cd4d4a73f53643e47c789e36f2889d9909eca58972074028468fe3a61e70b
-
Filesize
474KB
MD52498c23a31aa37b72b0bbb00e636a6f4
SHA11eead0a368a7e57c46228456d5542b4633b8e0a5
SHA25611db3d20750765096022860e1327be01f50135f7407c19ea1eeb326e121e2683
SHA5128a36a8a889a07539e2adc5b845a8e2009d7ad091cdbeb30afe889442c103f148f2fe23dc69a8ed2c4faf43d233cc739234c1d962c2871c819e24e59bc198991e