Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:41
Static task
static1
Behavioral task
behavioral1
Sample
4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe
Resource
win10v2004-20241007-en
General
-
Target
4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe
-
Size
479KB
-
MD5
23e63039c04589ffaf13d23591708a73
-
SHA1
9bf4ca291b58837a1b33806a6e6802fa57a42d7b
-
SHA256
4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067
-
SHA512
2bb471992a4d7716035ee350d990641f1ddf2c7145e542f32a950b4b7d8e47ecee283036d7ff91fbe5fb8711a00f71e5afffbcf6bea5b666b13950b073c9e280
-
SSDEEP
12288:yMrby90Nx5EO8PQxI1m7Od6PjeikRzQcM/Q:ZycrEFoxI0O8a3QcJ
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3980-15-0x0000000002230000-0x000000000224A000-memory.dmp healer behavioral1/memory/3980-18-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/3980-47-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-43-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-41-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-39-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-23-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-45-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-37-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-35-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-33-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-31-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-29-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-27-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-25-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-21-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3980-20-0x0000000004980000-0x0000000004992000-memory.dmp healer -
Healer family
-
Processes:
a3006099.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3006099.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a3006099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3006099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3006099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3006099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3006099.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000f000000023aa7-54.dat family_redline behavioral1/memory/3672-56-0x0000000000A80000-0x0000000000AA8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
v3166271.exea3006099.exeb2756482.exepid Process 4552 v3166271.exe 3980 a3006099.exe 3672 b2756482.exe -
Processes:
a3006099.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3006099.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3006099.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exev3166271.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3166271.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exev3166271.exea3006099.exeb2756482.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3166271.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3006099.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2756482.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a3006099.exepid Process 3980 a3006099.exe 3980 a3006099.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a3006099.exedescription pid Process Token: SeDebugPrivilege 3980 a3006099.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exev3166271.exedescription pid Process procid_target PID 4456 wrote to memory of 4552 4456 4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe 85 PID 4456 wrote to memory of 4552 4456 4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe 85 PID 4456 wrote to memory of 4552 4456 4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe 85 PID 4552 wrote to memory of 3980 4552 v3166271.exe 87 PID 4552 wrote to memory of 3980 4552 v3166271.exe 87 PID 4552 wrote to memory of 3980 4552 v3166271.exe 87 PID 4552 wrote to memory of 3672 4552 v3166271.exe 99 PID 4552 wrote to memory of 3672 4552 v3166271.exe 99 PID 4552 wrote to memory of 3672 4552 v3166271.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe"C:\Users\Admin\AppData\Local\Temp\4e585e4e1a4e3966855e083ae2dc9a046685ccb834ae34360e77b42c5b72b067.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3166271.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3166271.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3006099.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3006099.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2756482.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2756482.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD53b75e5d3426e90a367e4b6a96485118a
SHA1fc7314c2ed750e9a2154318fee4e127ade6a9c47
SHA2565750d4d8310b1aabd49541d86ffcab9a6ad7beab24a9140296c5017e21eaf8f0
SHA512ff365753356de5b75e2c00bc22051c9d982377f3d4f46f907622c3ff975aa6841ffa2daba672120505417bf95ae5bc4677affd361386ae5b77ae8aeaf8cf12e5
-
Filesize
175KB
MD5563e182784ada69cd20fa368a66fb9be
SHA1f8e348ec4348e5e31a3af6b5b25f7168950660e1
SHA25689632614e919a9d7e4759f1131bf34c3ed060b5855812adce069d4d0abad1279
SHA512a5e5846081a860a42154ae533bbe738a321f61de9bb504a7aafabe4153dbbcbd8ed224b272b574047296f8ec6272706947794fe2b332770d02a49fd73e8f44dc
-
Filesize
136KB
MD5c73e1aef0c2cc7fcc6d8e26f6218147f
SHA1730771aedd329cb4c97a827268395481e9df0353
SHA256bd36f052ea89dd29366888c0c34bd75eec72d2d42b4a211757a9ba40422f30bb
SHA512189c8dc6fdb76160a54bb8c9eb6d48d28290b2451e21c9bbb9e4cc58f3fd1e5bfc3aa1a09af6f75afcde1e275f21b5cdb0d05102bfe4fbb33ba09e73b1f3e7ff