Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe
Resource
win10v2004-20241007-en
General
-
Target
998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe
-
Size
706KB
-
MD5
7c9d8bf30191d060d7b84b720fd27197
-
SHA1
452daeaf47c1ef21093f3b5cdfb850e88628b41b
-
SHA256
998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5
-
SHA512
c6299fc6339a3799fbaa3913c7255cbd54a06a74e6316546f7b6d5b2d2f84ec72e6bf9505b27474b78fd24beb05a0f281c544782775dfda97835eeebdc2f856f
-
SSDEEP
12288:2y90BGpsD1PTt+atYjPERalYrzEv6XGzwnfDO3n64/cS8Asbe1bkKaOsi:2yFpsDFgatHwl0EvQKm6ttoedN
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4712-17-0x0000000004A40000-0x0000000004A5A000-memory.dmp healer behavioral1/memory/4712-20-0x0000000004CF0000-0x0000000004D08000-memory.dmp healer behavioral1/memory/4712-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-24-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-22-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/4712-21-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr567208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr567208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr567208.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr567208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr567208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr567208.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/392-59-0x0000000004AF0000-0x0000000004B2C000-memory.dmp family_redline behavioral1/memory/392-60-0x0000000007760000-0x000000000779A000-memory.dmp family_redline behavioral1/memory/392-72-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-66-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-64-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-62-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-61-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-80-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-94-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-92-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-90-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-88-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-86-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-84-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-78-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-76-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-74-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-70-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-68-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/392-82-0x0000000007760000-0x0000000007795000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5072 un026831.exe 4712 pr567208.exe 392 qu273471.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr567208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr567208.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un026831.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1008 4712 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un026831.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr567208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu273471.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4712 pr567208.exe 4712 pr567208.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4712 pr567208.exe Token: SeDebugPrivilege 392 qu273471.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4484 wrote to memory of 5072 4484 998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe 83 PID 4484 wrote to memory of 5072 4484 998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe 83 PID 4484 wrote to memory of 5072 4484 998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe 83 PID 5072 wrote to memory of 4712 5072 un026831.exe 84 PID 5072 wrote to memory of 4712 5072 un026831.exe 84 PID 5072 wrote to memory of 4712 5072 un026831.exe 84 PID 5072 wrote to memory of 392 5072 un026831.exe 100 PID 5072 wrote to memory of 392 5072 un026831.exe 100 PID 5072 wrote to memory of 392 5072 un026831.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe"C:\Users\Admin\AppData\Local\Temp\998501f9fe9d5952fe6133c7381bd195e5ee18db4e9abdfb1746ceb9a7360fc5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un026831.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un026831.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr567208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr567208.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 10044⤵
- Program crash
PID:1008
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu273471.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu273471.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4712 -ip 47121⤵PID:1832
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
551KB
MD5fda2920b20f52280ca128df949c0c342
SHA15ad63f03c7a2dbb9d60cd3be9d85d748929ca415
SHA2566c8a0cdb10bfd87c12317730124cdba1520ccdb6b78e14ff61f44115b1843312
SHA512157228b1c4e0166e73eaa51cd724e5e35aa7dbdb76072bbce8379933886ff15c48a83b6759ee26a74cc11dd09a76b142a1f5be288a630c3f5bfceb68d5e20197
-
Filesize
279KB
MD53fe3851a342426cd9e1cb7d34e44f333
SHA1baeb93d05e5a8d4343821a33c7e824e764f4e822
SHA256f92fe7349ebe6e604af698116fe9dda05e9c2ecef34aa0f499cd88f848846e2e
SHA512ec4b32bdfb2e0760bc3dae66e3eff123f12280e8a2de5b537b475720f072d1e091f019569a1b4a6f94a924e80f72f70f5467e9a3351987bef8de95585bde8232
-
Filesize
362KB
MD52da79804160a2088b0ddb25e8803310d
SHA1903062a11ecac1d3d2c19fdbebf71521179658e4
SHA256936758460d388dff576177049c14b4b9046352ff9a4d9e807d323afdf9c20a17
SHA512fb5f021eb9dd968a1ece81880c6cc787149f0f1c84182c2ed301f14bf085fcb667e6fb025bd10e4069660ea50599d72189fbabc16358b0a4744b8887786f3911