Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:01
Static task
static1
Behavioral task
behavioral1
Sample
f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe
Resource
win10v2004-20241007-en
General
-
Target
f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe
-
Size
746KB
-
MD5
96a6c4b28d349a3b379f052bbb2d8c6f
-
SHA1
23cc31f23de3db9855236c1dfe6bb33abb90c01e
-
SHA256
f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9
-
SHA512
6b742fdce7def85aba7efd2e0388d94b1e0563c88eb98db5cc615f57ae3a7baa29364b9441374588aecf8dc5e00e483f89f72a54b92f07bbfe3ab937f240db75
-
SSDEEP
12288:ky90g1iePbG47mLI0cRcfaSzJEJNuN6Mt7xNTF9kFWhZob44wnN5mU32T9z:kygePC4icCySzUMtz9auKb4ZnNQd5z
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1064-19-0x00000000027D0000-0x00000000027EA000-memory.dmp healer behavioral1/memory/1064-21-0x0000000004DA0000-0x0000000004DB8000-memory.dmp healer behavioral1/memory/1064-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-40-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-25-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-23-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/1064-22-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 30714751.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 30714751.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 30714751.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 30714751.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 30714751.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 30714751.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2388-60-0x0000000002910000-0x000000000294C000-memory.dmp family_redline behavioral1/memory/2388-61-0x00000000053F0000-0x000000000542A000-memory.dmp family_redline behavioral1/memory/2388-71-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-69-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-67-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-65-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-63-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-62-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-89-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-95-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-93-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-92-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-87-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-85-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-83-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-81-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-79-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-77-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-75-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/2388-73-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4008 un084675.exe 1064 30714751.exe 2388 rk634448.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 30714751.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 30714751.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un084675.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un084675.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30714751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk634448.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1064 30714751.exe 1064 30714751.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1064 30714751.exe Token: SeDebugPrivilege 2388 rk634448.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4008 4888 f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe 83 PID 4888 wrote to memory of 4008 4888 f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe 83 PID 4888 wrote to memory of 4008 4888 f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe 83 PID 4008 wrote to memory of 1064 4008 un084675.exe 84 PID 4008 wrote to memory of 1064 4008 un084675.exe 84 PID 4008 wrote to memory of 1064 4008 un084675.exe 84 PID 4008 wrote to memory of 2388 4008 un084675.exe 95 PID 4008 wrote to memory of 2388 4008 un084675.exe 95 PID 4008 wrote to memory of 2388 4008 un084675.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe"C:\Users\Admin\AppData\Local\Temp\f967e7c5ec1bb30ac85985c642436844bdace9ad7a7301fccb7ebefc337688e9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084675.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084675.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30714751.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30714751.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk634448.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk634448.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD598d6d63d33b7068bb82d7b467b8e8e9b
SHA1ac7bf450d77157413aa185b198cbad7f55b709d0
SHA25604eb1a69cb2ac63ce2e0d9a0e119b683f109e3b2d75aa59edb3ad03790d50f66
SHA5129484c7680cfc8cd4dbe296864d42dbee9e564f5512388120eb84f6a41bb5acc2b73a49959dee02c7c3c3c4116052b187bf262c08fa7dc5189b7985c7fb2bd962
-
Filesize
377KB
MD5c9a968a7fd8c3153a04c79e05d53dc4e
SHA1ca727a66c32b9c2bf95d52d2404179df122af2e1
SHA2569d9bb0c8c3e93b35eb7d5b3ef47d663ba906e37ba372b366d976042b807ac31f
SHA51236204dbc4d5429402d92ec10defb72ad7c59ef87a3dd1a720e743b7d46582cd6f555b4003927068228d50822ac205fa60f900c087e240184a9de2a84d3958d04
-
Filesize
459KB
MD5e79e5f1f45bd4f426b0884c66131314e
SHA1419ee6311eb558eb44923e82dfbcefcbfc4ea1f0
SHA256157f165ab8fe9936f6c6ad9d54c6b3a436976f1a0ca12baf108f9c82f8f0af6e
SHA5123a765a5939d1f38751b9b7221522824d3b5461182a3c5e3e1b10389e2b31cd306e7d72a83a2d2b8693ea8047a9148c17f490b8521e7d0378cf34679f94117008