Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe
Resource
win10v2004-20241007-en
General
-
Target
b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe
-
Size
704KB
-
MD5
f9ade98c2cc3c892ad5f01f038b5d60c
-
SHA1
33479cd235856a9c5875f72188cf9235ade6b63b
-
SHA256
b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb
-
SHA512
e40a3bc8500540fa9ec820a0afbf6b9e89dcb331dad674b4a14060691ce191df83600e3de12c08fa055061927bff7d41ef282c27419a0d7046ffa38783c103ed
-
SSDEEP
12288:ry90LQtOiTyYhIdXR/5T0McmyuplqIUz83rHf0DnPfIfJfCu0xuGHX:rygQtOiJgRRwNpuplkQ7/4PfIfJfCNx9
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4752-18-0x0000000004A20000-0x0000000004A3A000-memory.dmp healer behavioral1/memory/4752-20-0x0000000007130000-0x0000000007148000-memory.dmp healer behavioral1/memory/4752-48-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-46-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-44-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-40-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-38-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-36-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-32-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-30-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-29-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-27-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-24-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-21-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-42-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-34-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4752-22-0x0000000007130000-0x0000000007142000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr481824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr481824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr481824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr481824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr481824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr481824.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4504-59-0x0000000004C00000-0x0000000004C3C000-memory.dmp family_redline behavioral1/memory/4504-60-0x00000000071D0000-0x000000000720A000-memory.dmp family_redline behavioral1/memory/4504-84-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-92-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-90-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-88-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-86-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-82-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-80-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-78-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-76-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-74-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-72-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-70-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-66-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-94-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-68-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-64-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-62-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/4504-61-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4552 un876034.exe 4752 pr481824.exe 4504 qu879424.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr481824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr481824.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un876034.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4392 4752 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un876034.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr481824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu879424.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4752 pr481824.exe 4752 pr481824.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4752 pr481824.exe Token: SeDebugPrivilege 4504 qu879424.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3132 wrote to memory of 4552 3132 b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe 85 PID 3132 wrote to memory of 4552 3132 b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe 85 PID 3132 wrote to memory of 4552 3132 b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe 85 PID 4552 wrote to memory of 4752 4552 un876034.exe 86 PID 4552 wrote to memory of 4752 4552 un876034.exe 86 PID 4552 wrote to memory of 4752 4552 un876034.exe 86 PID 4552 wrote to memory of 4504 4552 un876034.exe 100 PID 4552 wrote to memory of 4504 4552 un876034.exe 100 PID 4552 wrote to memory of 4504 4552 un876034.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe"C:\Users\Admin\AppData\Local\Temp\b107a696b55650a0e4d87d4ab915309b77371f6cbc9472b72bd983ed512963fb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un876034.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un876034.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481824.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481824.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 10964⤵
- Program crash
PID:4392
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879424.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879424.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4752 -ip 47521⤵PID:1592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD559b019776189c77ebd13b1e6ce14fa3d
SHA194c1f6a111d87537f1ed14b58f21fbf93d6161b7
SHA256c59123af08c89e230069f25c53d5e5b5e9cc2fd69e1d26699398fa6a4c16a780
SHA512a230121239c0eb472571b45f24e65b1323a2cd4d947c4b4b81c0a891f6addd83506ac1268405f2f77f8acaa7b7016204b8f3990a00eff32c1b637974fd56072d
-
Filesize
277KB
MD50f0951ba33ee127cdaf34b72c475f182
SHA1eaae4fc3ddbcfd16b94a0687f32b29f690c25e58
SHA256428635df6b5acdb2a8a31dcf51708bf8cf7f86b540710397141fc38540ca4dca
SHA51264bd9a49befeb286ee271265839cb8a485a663f721cadd129dc523d2480573ccb17da8fb4eff854d1c0997e6b86ac120d1996bfdffb78745b830c58f0ae72510
-
Filesize
360KB
MD561b25d5481777cce3d53b4939cac5e04
SHA178499b0842d6ed6aca57b85bc35d65601512df77
SHA256eaeadb48640fbf5df73a7d8800dac70718767fa2fbc07f9f917237df60fb22d9
SHA512266169b0c56c7e5af1bdddb2d680da5ff7bcc406aac05749008efeb143faeb043fb89de9328bcb128909bc21b5baac2aa60308d0ddddd9335f9c946626f80c7d