Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe
Resource
win10v2004-20241007-en
General
-
Target
6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe
-
Size
685KB
-
MD5
fdfe8e39d4b278956280d68a3e2da8e4
-
SHA1
1b25ccb0cfda518ab32ee6fed1fad63cc543a9dc
-
SHA256
6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a
-
SHA512
0afbd0d860278b1cc6205e66b6e5e175c4f48a43c44f953830bf526d90c9a0d9392f13a015255726dc958248572db0f5b6bd1d6247e46b33c0a6bc90636de075
-
SSDEEP
12288:7y90OqI4DnLzpMPXAFTyCSagpuXbkNvwYgXV5uyyx/7phqcvZ2:7yO1nLFFSkuwfXruj1FvZ2
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4716-17-0x0000000004A30000-0x0000000004A4A000-memory.dmp healer behavioral1/memory/4716-20-0x0000000004D80000-0x0000000004D98000-memory.dmp healer behavioral1/memory/4716-48-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-46-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-44-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-42-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-40-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-38-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-34-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-32-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-30-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-28-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-26-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-24-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-22-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-36-0x0000000004D80000-0x0000000004D93000-memory.dmp healer behavioral1/memory/4716-21-0x0000000004D80000-0x0000000004D93000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 72039212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 72039212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 72039212.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 72039212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 72039212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 72039212.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4292-59-0x0000000007130000-0x000000000716C000-memory.dmp family_redline behavioral1/memory/4292-60-0x00000000071B0000-0x00000000071EA000-memory.dmp family_redline behavioral1/memory/4292-88-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-94-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-92-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-90-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-86-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-84-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-82-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-80-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-78-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-76-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-74-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-72-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-70-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-68-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-66-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-64-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-62-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4292-61-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3528 un982062.exe 4716 72039212.exe 4292 rk675349.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 72039212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 72039212.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un982062.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4780 4716 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un982062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72039212.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk675349.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4716 72039212.exe 4716 72039212.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4716 72039212.exe Token: SeDebugPrivilege 4292 rk675349.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1492 wrote to memory of 3528 1492 6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe 83 PID 1492 wrote to memory of 3528 1492 6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe 83 PID 1492 wrote to memory of 3528 1492 6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe 83 PID 3528 wrote to memory of 4716 3528 un982062.exe 85 PID 3528 wrote to memory of 4716 3528 un982062.exe 85 PID 3528 wrote to memory of 4716 3528 un982062.exe 85 PID 3528 wrote to memory of 4292 3528 un982062.exe 100 PID 3528 wrote to memory of 4292 3528 un982062.exe 100 PID 3528 wrote to memory of 4292 3528 un982062.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe"C:\Users\Admin\AppData\Local\Temp\6f7e84c69125f129805352dc302086c4f50851441cbd6d8150fedb85eff9699a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un982062.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un982062.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72039212.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72039212.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 10804⤵
- Program crash
PID:4780
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk675349.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk675349.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4716 -ip 47161⤵PID:4740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD52c09819d7973fe5547caa6bef463d2f7
SHA16c98d23b3c329c62d4edc8dbbb4db175d9110b01
SHA256287e9aef5a8c3d2cfbde9100db88cff35b6427888702892a8e3e23415bd2dc87
SHA512a56e94f91ef2bc2c5982a2b2a71606a4b676cc0430012eaf992bf476c69adbfb296ebb0c82abcf6eec2c284cf33ff19a466205aaced2a53ae9b5e0b5281dbf43
-
Filesize
249KB
MD56f9e40197f10829263513fee951ed3f0
SHA10a53e26c39c9d072c7652e0a74789cbab00ff06f
SHA25674e29342f5f3d1552a94a625d462e24d11f39b990583175dc43300ec246161b9
SHA5120d153bdd9f5d2a622e3fd4754d23e16a70452defd61182a68cde4b394507dddbabb31166497a203b59495a5806a9038c9d7fe7fcef6bf7e1dc14806bb2ec9c85
-
Filesize
332KB
MD559fada66c0b0b3dff2f2ee7784e4930d
SHA1aa4c583a4bf54973030ed3e3e66df948fc4b44f5
SHA2568db4ee285d15eeea91bd53345a878120bcae8222274df867a73c229034b84bbe
SHA51223f2c2a3848429e676ca47765263d50f6e84ac2000da0413eaf564d8adb519511b600da7fe7011e2c8d86e97178c202ff240327f92fc844ba3f48908ab7b443b