Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe
Resource
win10v2004-20241007-en
General
-
Target
189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe
-
Size
1.1MB
-
MD5
1de5705e3bbc894d0066581b07bc9275
-
SHA1
98164d7c6d360d17b17ef2f69cc30377031b2dba
-
SHA256
189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef
-
SHA512
c19850cd43701b9ebb6262c6d51c9117d45a78f2a51d2148870667d2d5ef7a90369b9fe7b1b249189c803ec60c2e40cda1fb5e1121f6279ab767fb586e016185
-
SSDEEP
24576:oywlIIRrkvR5d+BgQautHRumSGtul3GidEyz:v73d+BgQaYxe+uFnr
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1876-23-0x00000000026B0000-0x00000000026CA000-memory.dmp healer behavioral1/memory/1876-25-0x00000000028E0000-0x00000000028F8000-memory.dmp healer behavioral1/memory/1876-35-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-41-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-53-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-51-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-49-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-47-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-45-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-43-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-39-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-38-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-33-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-31-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-29-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-28-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/1876-26-0x00000000028E0000-0x00000000028F2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr468856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr468856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr468856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr468856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr468856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr468856.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3268-62-0x00000000026C0000-0x00000000026FC000-memory.dmp family_redline behavioral1/memory/3268-63-0x00000000053A0000-0x00000000053DA000-memory.dmp family_redline behavioral1/memory/3268-65-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-77-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-97-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-95-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-93-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-91-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-89-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-87-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-85-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-83-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-81-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-79-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-75-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-73-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-71-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-69-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-67-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/3268-64-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3944 un211244.exe 1484 un643351.exe 1876 pr468856.exe 3268 qu141290.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr468856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr468856.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un643351.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un211244.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1932 1876 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un211244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un643351.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr468856.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu141290.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1876 pr468856.exe 1876 pr468856.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1876 pr468856.exe Token: SeDebugPrivilege 3268 qu141290.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3124 wrote to memory of 3944 3124 189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe 85 PID 3124 wrote to memory of 3944 3124 189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe 85 PID 3124 wrote to memory of 3944 3124 189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe 85 PID 3944 wrote to memory of 1484 3944 un211244.exe 86 PID 3944 wrote to memory of 1484 3944 un211244.exe 86 PID 3944 wrote to memory of 1484 3944 un211244.exe 86 PID 1484 wrote to memory of 1876 1484 un643351.exe 88 PID 1484 wrote to memory of 1876 1484 un643351.exe 88 PID 1484 wrote to memory of 1876 1484 un643351.exe 88 PID 1484 wrote to memory of 3268 1484 un643351.exe 96 PID 1484 wrote to memory of 3268 1484 un643351.exe 96 PID 1484 wrote to memory of 3268 1484 un643351.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe"C:\Users\Admin\AppData\Local\Temp\189c7eefab7ce0eb6c46397e8dc1c027ac26787339fa8c2583a9f11dd2c042ef.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211244.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211244.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un643351.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un643351.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr468856.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr468856.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 9725⤵
- Program crash
PID:1932
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu141290.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu141290.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1876 -ip 18761⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD57587be15a53e5dfcb52b1f5014bcd72c
SHA149985acd84260af756e83bec72a6495c057d351b
SHA256b9e03413f61e35e3fe0c4e1980d2d7e5e9f0ef7f7477ec28504142636f9b8f2b
SHA5122c2e78617d8f982193afc5d13136b47fd90a85bd3257c0ef44e11f212b943dcbd0dc9b1a3e115863c0095c471eee09a01dfc3b181b05ffbed491aa53958d2dac
-
Filesize
608KB
MD5c40782d09d3be02845a1f0659334e829
SHA195b82d1bfbf0a189288307d812415914525725f4
SHA2560c1ec83ade2c1fe1f6f6a90172ee4c762033398b180b7c5a06756df481bc79a9
SHA512e469261db007348c2b75122b557e3b429ae69ea90093b6cd8e565e89b947f130e6b2a3235da6f158ccc1602c35140d8990c66243089d00657607531d4e6a09f0
-
Filesize
405KB
MD51fce9421cfb38f7adea18478051182c4
SHA1c4e71eac16be4b91d67c0012a43556d04c6fa31b
SHA256955d69aced797ab18676bb3be1733c44b1166d7f79a7302eccceb94e3409659a
SHA5120bdec298f15ecdf905a902b2752a142194466c0f9b1dda86dcae35908d883e7232be0f0066ddd795d1f4f50567db64eaac4bbd28af8aab32045482b8af02999e
-
Filesize
488KB
MD5d5053237e0987b7e90fb0f9ca420f468
SHA1bf4dadbcb4a8a7327e9df2138b12722bb3120ebb
SHA256a0a36a3d0294ab216a55eca95bd3c20391ab9b18a8107b77567759be5d66925d
SHA5126774b5ee36b46905dc837abd5c57bbe3075d33200cd68695ee023d3ad020cca7dce25c1c8982f11d1a3cc9360e001c1633a3bc3a2c022e56dbef93763bf3d3c6