Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe
Resource
win10v2004-20241007-en
General
-
Target
9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe
-
Size
1.1MB
-
MD5
cc075fa73b7a43b31509eec72c70214e
-
SHA1
f8a1cb64324b3cd82c93a4f8e9beaf59393cff75
-
SHA256
9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f
-
SHA512
f5334517e1dcc5b28eec7135d86d9b9ed5c3bf0d8de49312556aa532f628ba8085b1a116a69ac1a9abe7df505e314207ab18d2406814224d68b322e36064a02e
-
SSDEEP
24576:XypOi2nvRQvbhLfumIS9fyl3wqeGfB9ubUYFHQL6Ju:i8i2nvaVLfl3IuqxfB0UywL
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4584-23-0x0000000002800000-0x000000000281A000-memory.dmp healer behavioral1/memory/4584-25-0x0000000004EE0000-0x0000000004EF8000-memory.dmp healer behavioral1/memory/4584-26-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-53-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-51-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-49-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-47-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-45-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-43-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-41-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-39-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-37-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-35-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-33-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-31-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-29-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/4584-27-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr065875.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr065875.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr065875.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr065875.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr065875.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr065875.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4204-62-0x0000000004D70000-0x0000000004DAC000-memory.dmp family_redline behavioral1/memory/4204-63-0x0000000004E30000-0x0000000004E6A000-memory.dmp family_redline behavioral1/memory/4204-65-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-73-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-97-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-95-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-93-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-91-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-89-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-87-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-83-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-81-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-79-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-77-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-75-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-71-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-69-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-67-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-85-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/4204-64-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 1476 un729903.exe 1644 un896666.exe 4584 pr065875.exe 4204 qu162953.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr065875.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr065875.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un729903.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un896666.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1876 4584 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un729903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un896666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr065875.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu162953.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4584 pr065875.exe 4584 pr065875.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4584 pr065875.exe Token: SeDebugPrivilege 4204 qu162953.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4568 wrote to memory of 1476 4568 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe 84 PID 4568 wrote to memory of 1476 4568 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe 84 PID 4568 wrote to memory of 1476 4568 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe 84 PID 1476 wrote to memory of 1644 1476 un729903.exe 85 PID 1476 wrote to memory of 1644 1476 un729903.exe 85 PID 1476 wrote to memory of 1644 1476 un729903.exe 85 PID 1644 wrote to memory of 4584 1644 un896666.exe 87 PID 1644 wrote to memory of 4584 1644 un896666.exe 87 PID 1644 wrote to memory of 4584 1644 un896666.exe 87 PID 1644 wrote to memory of 4204 1644 un896666.exe 98 PID 1644 wrote to memory of 4204 1644 un896666.exe 98 PID 1644 wrote to memory of 4204 1644 un896666.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe"C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 10845⤵
- Program crash
PID:1876
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 45841⤵PID:2596
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD57b8904205ff2bd06e934aac1c2caa5c4
SHA13450333d5597f5a51cf15ca45169df25c50ee655
SHA256b8c1ac6d3f752ae9590988a1ac0f4415dd3d83ded6a505bf6fe2341e946b82c8
SHA5121142f5590b6da15df48d9af982149e773c3f61886c4b33384de58a9f50ef8c4a4c1f5d71642a0cb092a590a6b7931282b96cd835628827b425d0d562f91763a6
-
Filesize
608KB
MD5a59d56c9efa4f4b56a1b12ca3c956566
SHA1a0cd1b68a122033557191294155c657eb20d7df3
SHA25659e008dbdb5351cf910c38cf7f97f449698820dd8ec219e73308ee4577a7696a
SHA5127e1c5620ac7b5d385d6adf9aa7101e27c578b94c02619fe948986e42536f52fec5849e883276e9362236d8b19969d58368285961c0db220aba446a75a28a762b
-
Filesize
406KB
MD559d57a1e156f3c9ef62107bd20cfc060
SHA1d5225d4625e8d2bfa4cf8dfc758f1037e817a7a6
SHA256b7c02a9cec3352314f28c0ec3613392780e517321d8d725583b6a551defda06e
SHA51267f507db3e39c505825cf273bc14d2bf48dbb5fde888817eff80240c94b61ab3e1dbded4ab7e389964e1985d992d0eb24b04e26fe112448f3d2f3542c46f4ec9
-
Filesize
487KB
MD5888fec8a1985d6c2ffe617e12329d330
SHA19268f1b40c875ff57c41b6ee8170bb17e51df2c3
SHA256971714e3bd11cfecf229b171dd1d7e2214c0f0eb63020903bb6f4d6e9734d20d
SHA5127763e23ed7ed276466738b79e4c5266fc9a1e54e3233323b63cd16adbb18d89654ca717ed2f65ca91503b8ca7419e9de304398f2986976aa523e990e4ce97c6f