Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe
Resource
win10v2004-20241007-en
General
-
Target
417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe
-
Size
687KB
-
MD5
368aeae2615e04206a681ae23c2261f3
-
SHA1
699d81f3dc94f143a70a842f4fb2d72f1b70317f
-
SHA256
417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f
-
SHA512
6c3800ed3c19e6d930c3860c7d2c33dd89c96d991862d6a6d33f4765386f44b065ebaacc793a5b926db845ec05a3e85b083a7166ce537d5a3abb347926168c07
-
SSDEEP
12288:By90Dts40uRElGYihKjF/yCSQiGW2MCBkKQhuY67J5g1h9/0vz/CwD:By2s/u+GXEj1SB4MCrQhux7fgV0VD
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4304-18-0x0000000004AB0000-0x0000000004ACA000-memory.dmp healer behavioral1/memory/4304-20-0x0000000007140000-0x0000000007158000-memory.dmp healer behavioral1/memory/4304-21-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-28-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-48-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-46-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-44-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-42-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-40-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-38-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-36-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-35-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-33-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-31-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-26-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-24-0x0000000007140000-0x0000000007153000-memory.dmp healer behavioral1/memory/4304-22-0x0000000007140000-0x0000000007153000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 77017595.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 77017595.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 77017595.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 77017595.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 77017595.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 77017595.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/860-60-0x0000000004CD0000-0x0000000004D0C000-memory.dmp family_redline behavioral1/memory/860-61-0x00000000071A0000-0x00000000071DA000-memory.dmp family_redline behavioral1/memory/860-85-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-71-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-67-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-65-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-63-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-62-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-95-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-93-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-91-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-89-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-87-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-83-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-81-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-79-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-77-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-75-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-73-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/860-69-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3320 un207151.exe 4304 77017595.exe 860 rk024429.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 77017595.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 77017595.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un207151.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4756 4304 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77017595.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk024429.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un207151.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4304 77017595.exe 4304 77017595.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4304 77017595.exe Token: SeDebugPrivilege 860 rk024429.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5084 wrote to memory of 3320 5084 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe 83 PID 5084 wrote to memory of 3320 5084 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe 83 PID 5084 wrote to memory of 3320 5084 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe 83 PID 3320 wrote to memory of 4304 3320 un207151.exe 84 PID 3320 wrote to memory of 4304 3320 un207151.exe 84 PID 3320 wrote to memory of 4304 3320 un207151.exe 84 PID 3320 wrote to memory of 860 3320 un207151.exe 96 PID 3320 wrote to memory of 860 3320 un207151.exe 96 PID 3320 wrote to memory of 860 3320 un207151.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe"C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 10844⤵
- Program crash
PID:4756
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4304 -ip 43041⤵PID:4724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533KB
MD5250a87f319f17b2131259f5d09b4e634
SHA12d0a958c580e7ab690c4514c1924b8fc8d1b2afd
SHA25659c26d5d1f7d6630549eb2ce771fdda2da1e7905a686742f5ea2fcad28f0ca1a
SHA512aa0825ed72d5dab3e33cd2a0e16147c7daa87cc623577ad18f15938c649c9e22bfde36427829597de9b35f00ace7af022ccece8ef154d8ccec3781a1d967e13c
-
Filesize
249KB
MD52456620741866590a7e6eda7da890903
SHA136bdeb0817699bc77b2a4bc2079bace8a6e8258f
SHA2563271d6ef8386011ca04fec7cd84c01efc91fa95e6b54551eb5e8bf8c12747d31
SHA512c7f7c4699187fb318c899afc17831ee062d51d5900a4e06653d22fce1bdd4687e98bc30d9a684d0096a744ae0257a1eadac4242dc74c1ef6c30dbb25bf7ff71a
-
Filesize
332KB
MD535d55ca228efd1b0a0a973c71717abc9
SHA11fa49ff50e1b83bdad6a54cee87ea1bc6fbf1546
SHA2564ee14db05f35df1980245c4e0834eeefa0f1972d36f9a150d20ba464d4f084bc
SHA51296fb42f7ce5cfba67858333c51d1dc1ed7615c55dcd08135140bad6430e39742a98352bae9ec9ca95997588aa6b8f8d7954e2d10b55f951e1242fe39d64b1346