Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe
Resource
win10v2004-20241007-en
General
-
Target
4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe
-
Size
746KB
-
MD5
2dd41cb254a24a1f8652d8a477106e69
-
SHA1
aa70522675b5495793ac703364215f699f022dc6
-
SHA256
4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525
-
SHA512
efe4234c6d4bf8b1e1aede5730e6df3c7453361517eb2ac8c04a7315a719a631944c83eca4566adecda7e69ce1ba1f33993ef250a71a658e3b8d592275634fbe
-
SSDEEP
12288:Ay90yakNdITmSv7COoShZqxt1YyPl6xxyc4ueRj6elb48NPqH+LBDh7P9:AyNdIT1ooq2sc4ueBntNPfhL9
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1152-19-0x0000000002630000-0x000000000264A000-memory.dmp healer behavioral1/memory/1152-21-0x00000000026D0000-0x00000000026E8000-memory.dmp healer behavioral1/memory/1152-49-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-47-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-45-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-43-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-41-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-39-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-37-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-36-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-33-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-31-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-29-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-27-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-25-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-23-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/1152-22-0x00000000026D0000-0x00000000026E2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 50891835.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 50891835.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 50891835.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 50891835.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 50891835.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 50891835.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1352-61-0x0000000004C00000-0x0000000004C3C000-memory.dmp family_redline behavioral1/memory/1352-62-0x00000000053C0000-0x00000000053FA000-memory.dmp family_redline behavioral1/memory/1352-70-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-82-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-96-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-94-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-92-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-90-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-88-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-86-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-80-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-78-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-76-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-74-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-72-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-84-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-68-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-66-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-64-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline behavioral1/memory/1352-63-0x00000000053C0000-0x00000000053F5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3380 un631098.exe 1152 50891835.exe 1352 rk268079.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 50891835.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 50891835.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un631098.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4060 1152 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un631098.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 50891835.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk268079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1152 50891835.exe 1152 50891835.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1152 50891835.exe Token: SeDebugPrivilege 1352 rk268079.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3332 wrote to memory of 3380 3332 4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe 84 PID 3332 wrote to memory of 3380 3332 4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe 84 PID 3332 wrote to memory of 3380 3332 4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe 84 PID 3380 wrote to memory of 1152 3380 un631098.exe 85 PID 3380 wrote to memory of 1152 3380 un631098.exe 85 PID 3380 wrote to memory of 1152 3380 un631098.exe 85 PID 3380 wrote to memory of 1352 3380 un631098.exe 96 PID 3380 wrote to memory of 1352 3380 un631098.exe 96 PID 3380 wrote to memory of 1352 3380 un631098.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe"C:\Users\Admin\AppData\Local\Temp\4fce11b2fed7694964cf6809b04b78dca232ac21949e900a21b6e6863d104525.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631098.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631098.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50891835.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50891835.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 10924⤵
- Program crash
PID:4060
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268079.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268079.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1152 -ip 11521⤵PID:1332
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD58c4e72bd1e3bebbed27d277da8f4082b
SHA1a0edc79d13b8423975715ebf43edb43452f83e02
SHA256932612e1e5cc014a1030eeb04376ebc832c6febae366ed030345adc0d125e0b1
SHA512307d84c3f1e393c553f90d712a2cd1a13f267e6a24b02ab0a7d302bc98308c510d5918a373c691fa5c69a0506ac96bea556bf6c3caede006736de16bd11a231b
-
Filesize
377KB
MD5273a6f278af48c9b3c471949570c8251
SHA1fae82dff854c4282a268c34cd4d02d9c50b32a45
SHA256da8aaf67bb7e7499561109a1fb4da13818656a9df4a81f1133fba6980fe4371c
SHA5124bee3d73627c03e428a7bc43be4d3a973d442958210070e418ceb31fe7dd895d2f0c2d3dfed04949933b9b4fa3430f011b4022c7bc721eac09f6f1c71789f697
-
Filesize
459KB
MD56ba5b1a8c27463413e7b84e7ce8bdce9
SHA17ea3269203a9f82083b48ffd4872bb8a9f38c920
SHA25681c87c057dd452ef0dc6798ab1f05046eee0d4cfa2c36e5158b6492eb8f38e2e
SHA51298ca64229f96407946256873367b7556fe0eea9f2d19193eb14c808a1f3c53dc05b63857ef4f56c79eb63250baa1d63fcc04408fbfbddae43d30cc54085502bb