Analysis
-
max time kernel
113s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe
Resource
win10v2004-20241007-en
General
-
Target
5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe
-
Size
540KB
-
MD5
44eda8ee17dcad9107f728d6526797b8
-
SHA1
0cdf67fbce95c9c55d50eae080389c6d170aa0a2
-
SHA256
ad9aa144d80e7f238b2c9bab2b4d641a315ddf7c60504f7a341546f6d15a44fd
-
SHA512
16a5fa99172bb837f2b38274413fbff0fb376f6cb7b58072b4cd1c83aef3b5e8a66b5817b362deb689a6b11c4e34c2ad95b4540d554a08bec3fc425e3538024a
-
SSDEEP
12288:Hy907Yj+5+w3FT2Vyj0mP3vqWN6F718bvKJA+Xk:HyrjJuFAyQK6F718bv2Jk
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2780-11-0x0000000004A30000-0x0000000004A4A000-memory.dmp healer behavioral1/memory/2780-13-0x0000000004BD0000-0x0000000004BE8000-memory.dmp healer behavioral1/memory/2780-18-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-42-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-40-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-38-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-36-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-34-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-32-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-30-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-28-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-26-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-24-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-22-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-20-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-16-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer behavioral1/memory/2780-15-0x0000000004BD0000-0x0000000004BE3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 74410822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 74410822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 74410822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 74410822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 74410822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 74410822.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3596-54-0x0000000004AF0000-0x0000000004B2C000-memory.dmp family_redline behavioral1/memory/3596-55-0x0000000004DB0000-0x0000000004DEA000-memory.dmp family_redline behavioral1/memory/3596-61-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-67-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-89-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-85-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-83-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-81-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-79-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-77-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-75-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-73-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-71-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-69-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-65-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-63-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-87-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-59-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-57-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline behavioral1/memory/3596-56-0x0000000004DB0000-0x0000000004DE5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2780 74410822.exe 3596 rk416342.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 74410822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 74410822.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 512 2780 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74410822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk416342.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 74410822.exe 2780 74410822.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2780 74410822.exe Token: SeDebugPrivilege 3596 rk416342.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2780 1840 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe 84 PID 1840 wrote to memory of 2780 1840 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe 84 PID 1840 wrote to memory of 2780 1840 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe 84 PID 1840 wrote to memory of 3596 1840 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe 98 PID 1840 wrote to memory of 3596 1840 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe 98 PID 1840 wrote to memory of 3596 1840 5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe"C:\Users\Admin\AppData\Local\Temp\5be90b8825d025a3ee7cbee5ab1e4b0597845e421a277b8b05deb6cf173ee0c1N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\74410822.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\74410822.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 10843⤵
- Program crash
PID:512
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk416342.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk416342.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2780 -ip 27801⤵PID:3312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD51c633a8468d8c9f660005a3b620abd68
SHA122fed770d118302653b78bd11b180771b5cc7fa4
SHA25648fcc3303fde85418d0716349718cbe3a9d26bbc200d03566289933079fab97b
SHA512a1971bc2f7a86c3345cbf3ce08b411e7397d4c486e274e896d3c44da4a4ee8ba7e6b2df8228e0a8e89c691e24008a26c5fa46f4a6aef2397fd24b4d32b96165a
-
Filesize
340KB
MD5fc7d7ee28981afa7d131e32fec735108
SHA1b439f2e6945fd86be3b14ad670efa09aa157bc99
SHA2568b54dfa6cb64234d43117bc26a25a55bfef19ee4d66a5f20a1b6710ac9d49596
SHA5121a1a648a2b7776c9df23a5a36dd3dcfb49d12a003126148fd87bb5352b733462cce25c103a509e4ca385b9707f3b59ab72f9d41db9b32a7993fb1b11c9e85fc8