Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe
Resource
win10v2004-20241007-en
General
-
Target
7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe
-
Size
765KB
-
MD5
32e9d2d33db997529ce9d814a53f4570
-
SHA1
a2280198ee61bfce6d5e661a34783dc4cebfc9b3
-
SHA256
7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13
-
SHA512
b24e17547e32a6627a3a0a02a047ad8d957449bbf3ec6573c27aa5e1b3d5c7cd023acfab267646ab5e55998555e745304ce84e5008061591a935a9a999b2406d
-
SSDEEP
12288:Ly90zFOle+7anWM7VnCbtWLrUZhKd4wT3nU/IHL+rfUWHyh1RFFT5:LyZeGiWxCrymLTE/IryfUoyh9H
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2488-19-0x0000000002890000-0x00000000028AA000-memory.dmp healer behavioral1/memory/2488-21-0x0000000002950000-0x0000000002968000-memory.dmp healer behavioral1/memory/2488-49-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-47-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-45-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-43-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-41-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-39-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-37-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-35-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-33-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-31-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-29-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-27-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-25-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-23-0x0000000002950000-0x0000000002962000-memory.dmp healer behavioral1/memory/2488-22-0x0000000002950000-0x0000000002962000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr989269.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr989269.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr989269.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr989269.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr989269.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr989269.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4020-61-0x0000000002600000-0x000000000263C000-memory.dmp family_redline behavioral1/memory/4020-62-0x0000000004E50000-0x0000000004E8A000-memory.dmp family_redline behavioral1/memory/4020-78-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-84-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-96-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-94-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-92-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-90-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-88-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-86-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-82-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-80-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-76-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-74-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-73-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-70-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-68-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-66-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-64-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4020-63-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3048 un876291.exe 2488 pr989269.exe 4020 qu346210.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr989269.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr989269.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un876291.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 388 2488 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr989269.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu346210.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un876291.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2488 pr989269.exe 2488 pr989269.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 pr989269.exe Token: SeDebugPrivilege 4020 qu346210.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4756 wrote to memory of 3048 4756 7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe 85 PID 4756 wrote to memory of 3048 4756 7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe 85 PID 4756 wrote to memory of 3048 4756 7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe 85 PID 3048 wrote to memory of 2488 3048 un876291.exe 87 PID 3048 wrote to memory of 2488 3048 un876291.exe 87 PID 3048 wrote to memory of 2488 3048 un876291.exe 87 PID 3048 wrote to memory of 4020 3048 un876291.exe 98 PID 3048 wrote to memory of 4020 3048 un876291.exe 98 PID 3048 wrote to memory of 4020 3048 un876291.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe"C:\Users\Admin\AppData\Local\Temp\7d5fe19bb7b07601bec773178ea422a6553db8f625a18b992f9b8141ca961d13N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un876291.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un876291.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr989269.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr989269.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 10844⤵
- Program crash
PID:388
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu346210.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu346210.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2488 -ip 24881⤵PID:4568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
610KB
MD5b3235b12067b30fe7f0e9d9727a6a653
SHA19f0446fe80e358af127b01f7a9dfc9e833082504
SHA25617da521069c39732305f52b2d514c495d2144316f9c0bda0140387d96111347d
SHA5127fda3e48dfe55f9fb4e765f7b96b58f9de7d22905db322b6a92cded3a125c3e8be8be589bce53440e0e8b1bf7cc267a1652eb8ef5086947464106c75afc7572c
-
Filesize
405KB
MD5862ed2be882a4f57b82c0056abb27a5b
SHA13412c5e1920307e11fd597b091b8ddc51cb8e60a
SHA2561c924f63941c427dccff0ac994b7f3d1f2980a0d0a30dc7f39d5d7288ee79d85
SHA512a02ee7af595ce60c993b16adf06b2b3d236b139c9ec50142b9a3a869d90dcd7b3d4e4c7b40e88358dbdcda508cee6d7ad57ada734b29d97eb6ac5d250e4c84b6
-
Filesize
488KB
MD564e1452b59bb58076646dcfb86b8e388
SHA1ed34098a3450806ca13022480f486573b919fc2b
SHA256deda999c411d2e121aeeffecff44706768d2d2a38b8a2816f822bb56c1ff7be0
SHA512106a631b487ad330c82d0271209b23c1353d294c715881eccbbbb1a50a500fa19cdfdb11ea3bdf53cb5a4e60dca0e30338bf285d22db913929d201a18dd5dbb3