Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:01
Static task
static1
Behavioral task
behavioral1
Sample
182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe
Resource
win10v2004-20241007-en
General
-
Target
182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe
-
Size
746KB
-
MD5
58650285e9433ac6726f8f145a49847d
-
SHA1
2b21f837e830b660cdff8092e3d3fc2c3bf6e5b4
-
SHA256
182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541
-
SHA512
c9a52b12cabaca4c09071385545b7b63e02b3174d52636dcf2e20df22622b50141a5d76ff2e08a97dbbce546b211d05c248cc0daa1376aadb7386f7f5bbfe578
-
SSDEEP
12288:9y90anU2UDA6w1dXSiY7ywxypAniaMZJtE9Nk2JF8f0F88udRojdqePZhOktNmo2:9yCTDA6wviilvpgiaM5ENFqTIhvP+kON
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4336-19-0x0000000002460000-0x000000000247A000-memory.dmp healer behavioral1/memory/4336-21-0x00000000028D0000-0x00000000028E8000-memory.dmp healer behavioral1/memory/4336-47-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-49-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-45-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-43-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-41-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-37-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-35-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-33-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-31-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-29-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-27-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-25-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-22-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-39-0x00000000028D0000-0x00000000028E2000-memory.dmp healer behavioral1/memory/4336-23-0x00000000028D0000-0x00000000028E2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 96579889.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 96579889.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 96579889.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 96579889.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 96579889.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 96579889.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1760-61-0x0000000004D40000-0x0000000004D7C000-memory.dmp family_redline behavioral1/memory/1760-62-0x00000000053F0000-0x000000000542A000-memory.dmp family_redline behavioral1/memory/1760-86-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-90-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-96-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-94-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-92-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-88-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-84-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-82-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-80-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-78-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-76-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-74-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-72-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-70-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-68-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-66-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-64-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline behavioral1/memory/1760-63-0x00000000053F0000-0x0000000005425000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3140 un593676.exe 4336 96579889.exe 1760 rk678183.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 96579889.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 96579889.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un593676.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 436 4336 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un593676.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96579889.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk678183.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4336 96579889.exe 4336 96579889.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4336 96579889.exe Token: SeDebugPrivilege 1760 rk678183.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1652 wrote to memory of 3140 1652 182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe 83 PID 1652 wrote to memory of 3140 1652 182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe 83 PID 1652 wrote to memory of 3140 1652 182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe 83 PID 3140 wrote to memory of 4336 3140 un593676.exe 84 PID 3140 wrote to memory of 4336 3140 un593676.exe 84 PID 3140 wrote to memory of 4336 3140 un593676.exe 84 PID 3140 wrote to memory of 1760 3140 un593676.exe 99 PID 3140 wrote to memory of 1760 3140 un593676.exe 99 PID 3140 wrote to memory of 1760 3140 un593676.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe"C:\Users\Admin\AppData\Local\Temp\182adf87a70fdb2689464abbafbf96650afa0a206e51f50ce3732bd544dd7541.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un593676.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un593676.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96579889.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96579889.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 11084⤵
- Program crash
PID:436
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk678183.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk678183.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4336 -ip 43361⤵PID:928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD5e9de3fc7a3ec5b928f6dbf424bbd0c73
SHA1dbbcc3ae63c4ea553ad614964d08c81c9e513027
SHA256b32953fd18b046205f0469141283c768c28bed8166f0436331f6aee542eb218f
SHA512685a04aaab4657bd5dc2803af91dc41c739a8db733e70b8c26a4091d99e01ba783b6b7f49d83d02cd0c6cdda271463ea8429162a373e46d45ddd0795dc910b10
-
Filesize
377KB
MD57fd75a790266fa5fa0cf8e4bc7306d1d
SHA114b5e8e0e86dac52a2665d6e6b130e66874df1e0
SHA2562b0c60e4bc8ccb56af761606327425ef0fcbe8a548bccc3906b36ea3610ae4ba
SHA5123de337c23833e7843ddf2633c6dbe03d861e85503a20cd9ca5da9dcf8a87cc90df2944a4983db408325b9d49b394fdaaad6f00d6d32956e0f24ead6372fd1c47
-
Filesize
460KB
MD514cdec62d1e7d8482e7ef3533533cafa
SHA14323bce1a081996122e2d60e4168756214f2f481
SHA25610feb395afb7b9b6cc7d7752a08107b3e131d2cd1a0f3ec5be06f5058214ecf9
SHA512644caeaa2cf70d64654c0a85b98149ce1a401876719d61cb05d9cac0f39e0ac0be707f65eb9fc1a94df2a485179a3e186bff1c14df19a406329697a86fec6791