Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe
Resource
win10v2004-20241007-en
General
-
Target
b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe
-
Size
695KB
-
MD5
78f1ba1a47508a147b182b60f2bfb077
-
SHA1
721e0ff4ca67f8c4e40fb66de637fc810d4bbc62
-
SHA256
b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349
-
SHA512
bc3ed25932bc656c552d16340332d6b155b21bd7f49b6cbe0f1bcee023f8fd93bd7953b8de4ae29c076f2d968185f26a4754e1bfffefdbb68c52dc6c729bf283
-
SSDEEP
12288:4y90+RurF6xKOIbojIqcepZ59M98mUXVNH7B/WAP52qdpfp:4yZyOBL9+SNH7B+A3dhp
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4792-18-0x0000000004B50000-0x0000000004B6A000-memory.dmp healer behavioral1/memory/4792-20-0x0000000007700000-0x0000000007718000-memory.dmp healer behavioral1/memory/4792-21-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-28-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-48-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-46-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-44-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-42-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-40-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-38-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-36-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-34-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-33-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-30-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-26-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-24-0x0000000007700000-0x0000000007713000-memory.dmp healer behavioral1/memory/4792-22-0x0000000007700000-0x0000000007713000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 30895238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 30895238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 30895238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 30895238.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 30895238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 30895238.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2104-60-0x0000000004CE0000-0x0000000004D1C000-memory.dmp family_redline behavioral1/memory/2104-61-0x00000000077C0000-0x00000000077FA000-memory.dmp family_redline behavioral1/memory/2104-75-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-95-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-93-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-91-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-89-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-87-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-85-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-83-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-81-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-79-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-77-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-73-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-71-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-69-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-67-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-65-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-63-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/2104-62-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4200 un223649.exe 4792 30895238.exe 2104 rk110243.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 30895238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 30895238.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un223649.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4360 4792 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un223649.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30895238.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk110243.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4792 30895238.exe 4792 30895238.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4792 30895238.exe Token: SeDebugPrivilege 2104 rk110243.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4200 2424 b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe 84 PID 2424 wrote to memory of 4200 2424 b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe 84 PID 2424 wrote to memory of 4200 2424 b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe 84 PID 4200 wrote to memory of 4792 4200 un223649.exe 86 PID 4200 wrote to memory of 4792 4200 un223649.exe 86 PID 4200 wrote to memory of 4792 4200 un223649.exe 86 PID 4200 wrote to memory of 2104 4200 un223649.exe 101 PID 4200 wrote to memory of 2104 4200 un223649.exe 101 PID 4200 wrote to memory of 2104 4200 un223649.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe"C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 10844⤵
- Program crash
PID:4360
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4792 -ip 47921⤵PID:4664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD57d34c9bdb9723a8d659f6dc3ed674f16
SHA127da3c22fec89f6c736e91b0566690f50d1b2b55
SHA256b916e0b81adb81e40c2c85c9f3d477ddbc4913d269ea40b10972de77dd720ae7
SHA51228683f29dd0013078b52800ef51bf876af1c59afea79c762b6bd7d4b3e65bf68c2af41ed58c44b6de3e95a2a516d11224cc28c315a0c9932668b2d9d2365eefc
-
Filesize
258KB
MD566549a9b42008ae1ab2ee3864edadbd8
SHA10da21f27b18eab67e1f12e109bfe5190cc1e102c
SHA2565636eca782839b28ee9a1e7b918563ca9e5629920050baee92059529627ef1d9
SHA512ebb2756e78ec98a6783822d5c94c292b62ee93a4c3a79c95ec5935e591abfb29e2cb245d2cf1649e9bb7980bda795d79d0fce0f59120e65bc9ebca6d3eb7f0de
-
Filesize
341KB
MD5dae81d49ec27c5e46fe9734aa396fba5
SHA10d31e122f10750a34e31422a55ed19127ae68465
SHA256e48a89079c27032f5b27bd4b123173f0d76f839d066048cc457b52e845903d06
SHA51239054cfac24f040ec7cc4b3e3a35ea80a9d66af3553eb85b2f862feb34b6ec41d843ad5500e46539d2902de6e7d25d4a37c45e784d764ef133271d505e039c30