Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe
Resource
win10v2004-20241007-en
General
-
Target
ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe
-
Size
704KB
-
MD5
88e6e6babd23c6cde2f247d3ab5e1060
-
SHA1
3f756ae2d34ae0d53654fffb65a2748513b607e8
-
SHA256
ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d
-
SHA512
9178a5d8ab087d20e6015048f87c8d0c9ff1e50634f8e097b67397e09c077b52926e259e0341b853f07e813ceace70e141df15f1178d1c9991359d922a6eddfd
-
SSDEEP
12288:Py90agK/J5JhFRjHY1g6ohhmWeY1dZR4gVHMWCsifKqbDLdMa/yv:PyMKB5JprCfcneaicHpefKq/Ldgv
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2216-18-0x0000000004BF0000-0x0000000004C0A000-memory.dmp healer behavioral1/memory/2216-20-0x0000000004E30000-0x0000000004E48000-memory.dmp healer behavioral1/memory/2216-22-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-48-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-46-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-42-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-40-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-38-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-36-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-34-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-32-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-30-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-28-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-26-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-24-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-21-0x0000000004E30000-0x0000000004E42000-memory.dmp healer behavioral1/memory/2216-44-0x0000000004E30000-0x0000000004E42000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr311820.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr311820.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr311820.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr311820.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr311820.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr311820.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2928-60-0x0000000007180000-0x00000000071BC000-memory.dmp family_redline behavioral1/memory/2928-61-0x00000000077B0000-0x00000000077EA000-memory.dmp family_redline behavioral1/memory/2928-85-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-83-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-95-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-93-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-91-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-89-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-87-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-81-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-79-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-77-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-75-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-73-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-71-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-69-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-67-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-65-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-63-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline behavioral1/memory/2928-62-0x00000000077B0000-0x00000000077E5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2576 un484866.exe 2216 pr311820.exe 2928 qu815558.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr311820.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr311820.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un484866.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 632 2216 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un484866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr311820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu815558.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2216 pr311820.exe 2216 pr311820.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2216 pr311820.exe Token: SeDebugPrivilege 2928 qu815558.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2576 2896 ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe 83 PID 2896 wrote to memory of 2576 2896 ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe 83 PID 2896 wrote to memory of 2576 2896 ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe 83 PID 2576 wrote to memory of 2216 2576 un484866.exe 84 PID 2576 wrote to memory of 2216 2576 un484866.exe 84 PID 2576 wrote to memory of 2216 2576 un484866.exe 84 PID 2576 wrote to memory of 2928 2576 un484866.exe 96 PID 2576 wrote to memory of 2928 2576 un484866.exe 96 PID 2576 wrote to memory of 2928 2576 un484866.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe"C:\Users\Admin\AppData\Local\Temp\ade941723c3d6d40c3c5d34efb3e937a15efaacc78463433ecc37d6034034c4d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un484866.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un484866.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr311820.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr311820.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 10804⤵
- Program crash
PID:632
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu815558.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu815558.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2216 -ip 22161⤵PID:2348
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD5515ec2e95e3ba86ed06a4a78d757b4a3
SHA13b459885bab7015a6d7f36275991a6d8e25b9698
SHA256449df2768cb25ff1772bf49126f4d6c0327eb593ea7a64d9996f2b5b9e49de83
SHA512a0f28594fe0ec2edf41efc2e0509c71816d2695f2563720ff8091a67eccf16766b7a99d75015d1ffc3eff45c8901a5439e4ee9777702808f5cf36f4f95264eb0
-
Filesize
277KB
MD5d9b77ffe532b3c5da3e72ba9a10ce286
SHA11c0d832f7967a850a0c92a7ad22a2636d4e9242d
SHA2567b3c934799e52ead22ef61b00c9b2de135d58a92b55873d4594459b8e73570e6
SHA51224aad5f81dfe05feec1f377e1d48fe6e6835276e20c1799257803242fef15ae4d9c36123db6405a7da6599255582d4c06d0d4e966782e955f33e25a9d6d8881b
-
Filesize
361KB
MD5453208826c527906afa435d48d33a907
SHA1ffc4a2282a7b7886b02c7f116a33b30cafe46ae5
SHA256351fe845d80ff3312ec9901475f4c92d5db8db33298b2bd68728e6f88443ee7c
SHA512998f352c58121f94fcb9a810ece72f3b177b4a83e9aa8b317aa67bca7a4bae13c73baf187c331f5c39f8344ca33c586f747ebfb31fd87b75350b11011612aabc