Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe
Resource
win10v2004-20241007-en
General
-
Target
39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe
-
Size
695KB
-
MD5
6ec56fd25b306a2f21bf2f03bd8e3d76
-
SHA1
90cacb113bf89139b74c090e4ce2e690e74f5a37
-
SHA256
39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8
-
SHA512
ad436fdb4f83a580e7da9c3e3e97ef3f6bc978f41e107ed362509f51c8c8d5cc9e196a9047dcbe31662d6f3fa6739abb75231dec1c50c188deb4d4930f03e638
-
SSDEEP
12288:ny90ITK4lBAOWe/NNPYl9jw65ATU+0hoX4ZCU55vleu2Kq9ojOQa:nyVbqKNNgl9jRh84ZCUpWKqyjOQa
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1196-18-0x00000000047F0000-0x000000000480A000-memory.dmp healer behavioral1/memory/1196-20-0x00000000049E0000-0x00000000049F8000-memory.dmp healer behavioral1/memory/1196-21-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-28-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-44-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-42-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-38-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-36-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-34-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-32-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-30-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-22-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-26-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-24-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-48-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-46-0x00000000049E0000-0x00000000049F3000-memory.dmp healer behavioral1/memory/1196-40-0x00000000049E0000-0x00000000049F3000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 35397102.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 35397102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 35397102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 35397102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 35397102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 35397102.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4884-60-0x0000000007130000-0x000000000716C000-memory.dmp family_redline behavioral1/memory/4884-61-0x0000000007790000-0x00000000077CA000-memory.dmp family_redline behavioral1/memory/4884-71-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-77-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-96-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-91-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-89-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-87-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-85-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-83-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-82-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-79-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-75-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-73-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-69-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-93-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-67-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-65-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-63-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4884-62-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4820 un559504.exe 1196 35397102.exe 4884 rk155659.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 35397102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 35397102.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un559504.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3968 1196 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un559504.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35397102.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk155659.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1196 35397102.exe 1196 35397102.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1196 35397102.exe Token: SeDebugPrivilege 4884 rk155659.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2848 wrote to memory of 4820 2848 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe 84 PID 2848 wrote to memory of 4820 2848 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe 84 PID 2848 wrote to memory of 4820 2848 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe 84 PID 4820 wrote to memory of 1196 4820 un559504.exe 86 PID 4820 wrote to memory of 1196 4820 un559504.exe 86 PID 4820 wrote to memory of 1196 4820 un559504.exe 86 PID 4820 wrote to memory of 4884 4820 un559504.exe 98 PID 4820 wrote to memory of 4884 4820 un559504.exe 98 PID 4820 wrote to memory of 4884 4820 un559504.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe"C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 10164⤵
- Program crash
PID:3968
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1196 -ip 11961⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD546b99b6dc860a611e8b0bf3098b6b2d5
SHA1f4d3b6bf0ae20a753282cb9e6254fc3a667fc6f8
SHA256219ca6573d7e70f9e34ad972a2e8dd6b45ac91c52ced3bc2494ef4a2d6e6c465
SHA512000dcaafa2b1f18cc1ed6fcd46298a291a5a050689cba10217d213d47dbddd23e57d5c0b08041c7e8e700485e6cdc806d07e42d7dcd85a5ed209f142ba686bb1
-
Filesize
257KB
MD50cc6c3e42ff1571b993b0339c603c204
SHA18404d98ceb739d7d47e7d79a8241097074647d66
SHA256369f288d67dc41a16b75b75586e913906d9d38881b25fcb7b9879575aad73d6f
SHA5122900a55b26dd40b14c9504316db7ac20b5e0d38fd442204aa5a39c5a5c6de612d54bb967a508b6a23605ef6b01a7bdb2bad4c4ec81f06eb02fcff2d8041ee1d9
-
Filesize
340KB
MD5d9158a9694a84aa59e00b95bf5ca5d3a
SHA1025fc0dc642c6db28a01993f1dfefc085b5486cf
SHA2567615913fc9446e10c2d2e35d4050dd8486a0a9bb5c3044b0fe734dee674999a5
SHA512a869d3051ea1b8b8a1451b0e32eee0b1617a139517c8f37d75f9a348690520d2e6f1ab33d08aa6ef642fa318cf362ddf6143c60f9cc7dacd97328b0f2e083a7b