Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe
Resource
win10v2004-20241007-en
General
-
Target
326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe
-
Size
694KB
-
MD5
89c3f328d792dac38329624a82d27088
-
SHA1
24004fb43dfa2a9166b455b1bc87f6739db05a7a
-
SHA256
326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b
-
SHA512
00429ec4c1b9a74090620334d8991d8c50598cf9db2401a853408431b9b192b14d7cc9e9522442ceed30e8178fa170e5f546debecd7ead7167339dd2dd81556a
-
SSDEEP
12288:by90ZR+CA1m2iWFjcNr8in+hZR048JhN/0ttHR6YElwWsFoo1T3a06HvbG:byJmghcZ8iniZlPt6tbRo13afS
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1912-18-0x0000000004880000-0x000000000489A000-memory.dmp healer behavioral1/memory/1912-20-0x0000000004BE0000-0x0000000004BF8000-memory.dmp healer behavioral1/memory/1912-34-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-48-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-46-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-45-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-42-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-40-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-38-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-36-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-32-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-30-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-28-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-26-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-24-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-22-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer behavioral1/memory/1912-21-0x0000000004BE0000-0x0000000004BF3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 91868334.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 91868334.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 91868334.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 91868334.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 91868334.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 91868334.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2432-60-0x0000000004CE0000-0x0000000004D1C000-memory.dmp family_redline behavioral1/memory/2432-61-0x0000000007790000-0x00000000077CA000-memory.dmp family_redline behavioral1/memory/2432-65-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-85-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-95-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-91-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-90-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-87-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-83-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-81-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-79-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-77-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-75-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-73-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-71-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-69-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-67-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-93-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-63-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/2432-62-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4552 un334600.exe 1912 91868334.exe 2432 rk097780.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 91868334.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 91868334.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un334600.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3672 1912 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un334600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 91868334.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk097780.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1912 91868334.exe 1912 91868334.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1912 91868334.exe Token: SeDebugPrivilege 2432 rk097780.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 844 wrote to memory of 4552 844 326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe 84 PID 844 wrote to memory of 4552 844 326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe 84 PID 844 wrote to memory of 4552 844 326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe 84 PID 4552 wrote to memory of 1912 4552 un334600.exe 85 PID 4552 wrote to memory of 1912 4552 un334600.exe 85 PID 4552 wrote to memory of 1912 4552 un334600.exe 85 PID 4552 wrote to memory of 2432 4552 un334600.exe 99 PID 4552 wrote to memory of 2432 4552 un334600.exe 99 PID 4552 wrote to memory of 2432 4552 un334600.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe"C:\Users\Admin\AppData\Local\Temp\326241b47f15c75b269b24387ec910c9c5e19fbe44e4f67346ef2591bdbbe03b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un334600.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un334600.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91868334.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91868334.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 10804⤵
- Program crash
PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk097780.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk097780.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1912 -ip 19121⤵PID:1584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD580ddd3a8fcb7a9c8602968bd30f402c5
SHA12693fd16cbfe92f3d9b04c167f68bdd45a2892ed
SHA256fe962ae1d8fd93888184971c873a84c304882359c76c89d6bea652b27587fde3
SHA5122bede61c98197dd610bc2b118ca4e0366141c990684d58beb2d7f4db928deaceae817428e6bfb2e9d5e4e40f6274197e29d10aedf144edb08686c66ce45d0a1f
-
Filesize
258KB
MD54e2a3d87f3c2fe7cb03bf39b0fd6da4d
SHA159b5270ab044a90ad73fa4e733b11f97c691b9da
SHA2564921739ab758b1ad7f2d8af087c843862cbe9c348332798882a01e75b6ffe4d7
SHA512d9ec7df0f38605b361cc9592dfb7928e1f140db0a573a6511590ae1ea1b474271a772a5d54e3998284f8b7a0a8b3cdf29981043163177200cf3ce4f33d5fae1c
-
Filesize
340KB
MD5276ae1ae9abfcb5995c53ce04d4629ec
SHA15179aca438e2803c63b0f491e4f33ac2ddf02b10
SHA256f3c29bf272b082fe9bd933e804817f6a67b19ed6135e21a46e33e5afb468cfb0
SHA512a0cf6ea346922178f8a9e9a278cbf6e37a5d3fda0d98e6ad7734d7c4d36f7b5dd271640b83dc9984bf78e91ead9b1631c95a60b6b9af34b2a640d16ae6803cd6