Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe
Resource
win10v2004-20241007-en
General
-
Target
9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe
-
Size
479KB
-
MD5
0eaa95f90f701285dfe9305882f8a0be
-
SHA1
b1f62ce37faf8ce81a7e9c7128f230de976777e1
-
SHA256
9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4
-
SHA512
4e5b3d7fa40f43853052f3f382fb103e4c079dee588ae4363159b78658c9e645ead8cc5f51f2054294457ee91b30fb930f4f585e4860e0da152a5e45af8f0bcd
-
SSDEEP
12288:jMrOy90jupW1TBG7Ofg5c1u31ITVi2mQbWfpcCKnItq:ty0upWPUXGTU2RspcVnMq
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3836-15-0x00000000021B0000-0x00000000021CA000-memory.dmp healer behavioral1/memory/3836-18-0x0000000002430000-0x0000000002448000-memory.dmp healer behavioral1/memory/3836-29-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-47-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-45-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-43-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-41-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-39-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-37-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-35-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-33-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-31-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-27-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-25-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-23-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-21-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/3836-20-0x0000000002430000-0x0000000002442000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4072409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4072409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4072409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4072409.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4072409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4072409.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023bab-54.dat family_redline behavioral1/memory/3004-56-0x00000000001D0000-0x00000000001F8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2580 y1004412.exe 3836 k4072409.exe 3004 l4559795.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4072409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4072409.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y1004412.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3540 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y1004412.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k4072409.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l4559795.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3836 k4072409.exe 3836 k4072409.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3836 k4072409.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2580 1516 9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe 83 PID 1516 wrote to memory of 2580 1516 9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe 83 PID 1516 wrote to memory of 2580 1516 9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe 83 PID 2580 wrote to memory of 3836 2580 y1004412.exe 84 PID 2580 wrote to memory of 3836 2580 y1004412.exe 84 PID 2580 wrote to memory of 3836 2580 y1004412.exe 84 PID 2580 wrote to memory of 3004 2580 y1004412.exe 95 PID 2580 wrote to memory of 3004 2580 y1004412.exe 95 PID 2580 wrote to memory of 3004 2580 y1004412.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe"C:\Users\Admin\AppData\Local\Temp\9863c6fa15bf0562549cda9afdd242fc6d7918f57827e23e5e0e99ff0de5fbb4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1004412.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1004412.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4072409.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4072409.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4559795.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4559795.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3540
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5be4076aaef13f93001191616db9fb911
SHA14e2838ddd16aa62bba272f55ddc818ecc6bc8aad
SHA256618c15f9cd45d09d0563e0e039c2ec2d82eb591396507340977640378b909c62
SHA51275d5a1b02ff2c01ddd4f210c6872e726ea8eb90b26f4e74565b672e69528811406189787c01ecf11e45e810b798d15495836fd58c8c303b8be97a6ec57c0d0ac
-
Filesize
175KB
MD594c4b7c1ecd667b2f1bd7cd29ad058be
SHA1c2368dc9b57a072f37ff2cf0af7b77e85906a7c5
SHA25667ef6b64cf0d4dea215b300b4840b53ad669a731fd73fa3be2ba74ca8ca212c4
SHA5128d819b023c85e74cd72bd02c6f4b66bc057ce1da706d0dad9fec1627eb75caa04c00d51a675780a5b3727fb08ab92f1f2f3747e2529bc83e0ad96e882a5e0c3d
-
Filesize
136KB
MD514def87e3ed710cf7f2ae77e4b9ac277
SHA1724a6d605b16ebbef3a265fccfceebb2528595bc
SHA2562c101da78a25d8760c6b7a3693845afe22e815ccbd1be9c2ae7729d45efd0b75
SHA51269f022575fb9b7227d4863869c908937824ea754a568c570769467b683c313c76e845a0b2a368f4b82606ddf1b6e49a49c1b2ed08b065273dbf7e317a25f488d