Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe
Resource
win10v2004-20241007-en
General
-
Target
4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe
-
Size
643KB
-
MD5
426d2d722f717d4cb8eec7496034812c
-
SHA1
453c7601a9ed9896d0387f0fa805d70a1906d63a
-
SHA256
4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1
-
SHA512
7e3cce7aa108261b7681a7c91458775d8a3bab1250742f0fa6e11f18b62fe505c41513ec0af91835b8d372c749f5c27c5efb19243e9e6d7ef4d16389ca8b6012
-
SSDEEP
12288:Hy900ZthmABaZpwY5UBtK10cDPV1BY3niIVdUN/fSj8PBpB812KcAxPb:HyrhCTwY5UK10cDt1BY3TdUBa8Y2K5xT
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2740-15-0x0000000002500000-0x000000000251A000-memory.dmp healer behavioral1/memory/2740-18-0x0000000005080000-0x0000000005098000-memory.dmp healer behavioral1/memory/2740-22-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-42-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-48-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-46-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-44-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-40-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-38-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-36-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-34-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-32-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-30-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-28-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-26-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-21-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/2740-24-0x0000000005080000-0x0000000005093000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 37524680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 37524680.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 37524680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 37524680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 37524680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 37524680.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/4548-57-0x0000000007130000-0x000000000716C000-memory.dmp family_redline behavioral1/memory/4548-58-0x00000000071B0000-0x00000000071EA000-memory.dmp family_redline behavioral1/memory/4548-78-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-86-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-94-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-92-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-90-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-88-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-84-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-82-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-80-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-76-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-75-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-73-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-70-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-68-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-66-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-62-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-64-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-60-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/4548-59-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2504 st722202.exe 2740 37524680.exe 4548 kp669612.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 37524680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 37524680.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st722202.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp669612.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st722202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37524680.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2740 37524680.exe 2740 37524680.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2740 37524680.exe Token: SeDebugPrivilege 4548 kp669612.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2504 2316 4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe 84 PID 2316 wrote to memory of 2504 2316 4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe 84 PID 2316 wrote to memory of 2504 2316 4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe 84 PID 2504 wrote to memory of 2740 2504 st722202.exe 86 PID 2504 wrote to memory of 2740 2504 st722202.exe 86 PID 2504 wrote to memory of 2740 2504 st722202.exe 86 PID 2504 wrote to memory of 4548 2504 st722202.exe 94 PID 2504 wrote to memory of 4548 2504 st722202.exe 94 PID 2504 wrote to memory of 4548 2504 st722202.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe"C:\Users\Admin\AppData\Local\Temp\4eeffbc8271a1be62554c092394087e212943fef623cc174cd30259d5d92f3d1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st722202.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st722202.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\37524680.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\37524680.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp669612.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp669612.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
489KB
MD50c83fe00719fe9b4ac925f876696b5e0
SHA1a4ea04a08b0e3f2a76b923fcc1d4033b358947df
SHA256a279adfbf1b501606ca9635c3000ad293cc88f13fa06cb74e432fe8a13ac7c65
SHA512a102a0c5ff4da5dfcd7ab41234015525d6c84b691b9b91db9295eb3c1386778e6ed2c831b1e4fc58cb264b3bffc9d188668bd5638f7fa79442d87a8d02b8674b
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
341KB
MD5776e830f8a92292e4a05160478256a1c
SHA14c1cf53e82b50ec5e0940392673dfae04d9c0d56
SHA2567ac9ad65155a86d62ae3741e7e767e0378e8833da25b6220d13872aff8edf6f4
SHA512a3c690902b2e8bf040602dd0f0bc6458ed361e2d7c7f964409a0ff6d6c7cf81c05157bb9d4725fb926c6e493c60b2d5dd1fc3802e9227d8d5bb3f64063cb5dba