Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe
Resource
win10v2004-20241007-en
General
-
Target
247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe
-
Size
707KB
-
MD5
9279973365f49d25069bdc74720f0584
-
SHA1
dc0442736708c299b63bed271150033f3eb5704b
-
SHA256
247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2
-
SHA512
608663225537a00ebf643b832dddcd4001ee356898eac69a042254164b5daa3c664256f8f9d59e2142ad4ea6ba43c8fe7dc1ced63b65d0da1d2ecebc946cf560
-
SSDEEP
12288:ay90Xpc5FnZ1kzmI/4ibBn8f1XlDsA9KG8HX7uObm64/cm85Eu8xOS:aymkZ1Qmhibp8f1XloA965MOEdOS
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3512-18-0x0000000004A30000-0x0000000004A4A000-memory.dmp healer behavioral1/memory/3512-20-0x0000000007280000-0x0000000007298000-memory.dmp healer behavioral1/memory/3512-48-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-46-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-42-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-40-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-38-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-36-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-34-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-32-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-30-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-28-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-26-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-24-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-44-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-22-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3512-21-0x0000000007280000-0x0000000007292000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr657623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr657623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr657623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr657623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr657623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr657623.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1996-60-0x00000000049F0000-0x0000000004A2C000-memory.dmp family_redline behavioral1/memory/1996-61-0x0000000007790000-0x00000000077CA000-memory.dmp family_redline behavioral1/memory/1996-73-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-75-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-95-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-91-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-89-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-87-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-86-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-83-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-81-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-77-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-93-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-79-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-71-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-69-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-67-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-65-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-63-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/1996-62-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 556 un080183.exe 3512 pr657623.exe 1996 qu691932.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr657623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr657623.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un080183.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1000 3512 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un080183.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr657623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu691932.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3512 pr657623.exe 3512 pr657623.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3512 pr657623.exe Token: SeDebugPrivilege 1996 qu691932.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1980 wrote to memory of 556 1980 247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe 83 PID 1980 wrote to memory of 556 1980 247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe 83 PID 1980 wrote to memory of 556 1980 247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe 83 PID 556 wrote to memory of 3512 556 un080183.exe 84 PID 556 wrote to memory of 3512 556 un080183.exe 84 PID 556 wrote to memory of 3512 556 un080183.exe 84 PID 556 wrote to memory of 1996 556 un080183.exe 96 PID 556 wrote to memory of 1996 556 un080183.exe 96 PID 556 wrote to memory of 1996 556 un080183.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe"C:\Users\Admin\AppData\Local\Temp\247c40bcc7cb6b04702a2185a607be174b5810ba5eec75b16953f7f9608b84c2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un080183.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un080183.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr657623.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr657623.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 10924⤵
- Program crash
PID:1000
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu691932.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu691932.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3512 -ip 35121⤵PID:4708
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD52e43e9af96287ba701a310d386e03cfc
SHA12f8e2f1f8a21bc868316b776eec94e36c918ec6e
SHA2562e75b4a8e847dc3636e75a2f380939376d05c6e286909d30f6051470b5419fa4
SHA5123aa3cb12181acdc1877083d94d6b4cce15306c4d180ae48ee978384bc1f3f921a908b530454d676284dce4589a12aeee1ab8529c1b422f44c74c6807958cab42
-
Filesize
279KB
MD558a5fc3df42a506b1f05d02587e030f7
SHA1be756d8ccac8c24e729ccb6a9b10bbc9cbf6dee2
SHA256eff8acfec78a6eb2369d8b7fc25ac870dc20d864509a6fb2800f2ae57ffedb15
SHA51286b7aa56bc09adefbfae5d323df0006668b69abcaacbd1b9b44d9ae45559c84608fa2bd2a693b8a0338f238635ac36f0aa234e304b645f9aa8141f07e9a079e5
-
Filesize
362KB
MD5fa847c7d77b3e19cd648d626b7ed5769
SHA191a714ee3107244cba5c7c2ea11ee7e61c7f5832
SHA25694c12c90e8bc6c4137750a245dc6398a4fb3c93a4b06b4cbd528773d7d22889a
SHA5129340f3088ff29b5ddc83d26c22405621a3faa3f4fa2faa55d8ada1128b865dd90075721f4cabd431ab6cafefb05da4fddcfdd4672a17459c17c72093b2b89943