Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:37
Static task
static1
Behavioral task
behavioral1
Sample
49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe
Resource
win10v2004-20241007-en
General
-
Target
49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe
-
Size
706KB
-
MD5
18c07dd86beea21dc2230a9baa3d4eea
-
SHA1
cc2e975a6cde56b181f4627dc28ee583545d3af0
-
SHA256
49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87
-
SHA512
6ed59bb2ea1e3e2077621c18ce6aa9b21acb4fcabd71bf95549ee7af69e639176b2301a0561a6098260a4ff90dd5ecfa3bb2eb3449cb2b296c1382322058d747
-
SSDEEP
12288:Ty90QWdYs4LHEWb0bPGCviwoYD10XwSC8nfpeKb4EVdTuEjYWyEf1:Ty0dDSHEZqCK5q0XwSppeKb4Evlj3vf1
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/720-18-0x00000000047C0000-0x00000000047DA000-memory.dmp healer behavioral1/memory/720-20-0x0000000004C00000-0x0000000004C18000-memory.dmp healer behavioral1/memory/720-36-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-34-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-32-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-30-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-28-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-26-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-24-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-22-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-21-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-48-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-46-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-44-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-42-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-41-0x0000000004C00000-0x0000000004C12000-memory.dmp healer behavioral1/memory/720-39-0x0000000004C00000-0x0000000004C12000-memory.dmp healer -
Healer family
-
Processes:
pr664589.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr664589.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr664589.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr664589.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr664589.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr664589.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr664589.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3180-60-0x0000000004A80000-0x0000000004ABC000-memory.dmp family_redline behavioral1/memory/3180-61-0x0000000004E70000-0x0000000004EAA000-memory.dmp family_redline behavioral1/memory/3180-73-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-77-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-95-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-93-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-89-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-87-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-85-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-83-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-81-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-79-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-75-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-71-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-69-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-91-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-67-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-65-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-63-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3180-62-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un341854.exepr664589.exequ281685.exepid Process 4944 un341854.exe 720 pr664589.exe 3180 qu281685.exe -
Processes:
pr664589.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr664589.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr664589.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
un341854.exe49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un341854.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1244 720 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
qu281685.exe49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exeun341854.exepr664589.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu281685.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un341854.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr664589.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr664589.exepid Process 720 pr664589.exe 720 pr664589.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr664589.exequ281685.exedescription pid Process Token: SeDebugPrivilege 720 pr664589.exe Token: SeDebugPrivilege 3180 qu281685.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exeun341854.exedescription pid Process procid_target PID 836 wrote to memory of 4944 836 49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe 83 PID 836 wrote to memory of 4944 836 49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe 83 PID 836 wrote to memory of 4944 836 49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe 83 PID 4944 wrote to memory of 720 4944 un341854.exe 84 PID 4944 wrote to memory of 720 4944 un341854.exe 84 PID 4944 wrote to memory of 720 4944 un341854.exe 84 PID 4944 wrote to memory of 3180 4944 un341854.exe 100 PID 4944 wrote to memory of 3180 4944 un341854.exe 100 PID 4944 wrote to memory of 3180 4944 un341854.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe"C:\Users\Admin\AppData\Local\Temp\49a92ffa9989ed33242c90a7d01cf3f2ab578e13bb1f0e4efcfb806ceecd4e87.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un341854.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un341854.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr664589.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr664589.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 10924⤵
- Program crash
PID:1244
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu281685.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu281685.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 720 -ip 7201⤵PID:4236
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD5dbc4627f39227fcfae5df4b1b7fb42b0
SHA133ae376b8a7ae505e42f13c31b6fa0fe7be0bda2
SHA25658abdcda347398a224a17e0f032f418e1cd7cf3d8f8bb1b295563bd7045a6099
SHA51237c2f3f1c8e48e77d81ce76b1a83c93252bf8e1912f1265080483cf0c28683782f351bbc8b0f6b8fe13a5a6ea7ae9e80e83837aba65e9f55a2576ff092924502
-
Filesize
285KB
MD5fdd5025a22f9acf0f539506fb2ec8b17
SHA1add3512765763e13ba70cb17f6f674ce9aaa5453
SHA256e23c9257724a11cdaa0bf43e4544aa23adcce8b28ddd19469703f6d94ec54002
SHA51250ab4846833072335c4c89eb92db00289f02a3113613b67541ec11983313cd199ca470121db8e3f3fb7151343425479d935aa944fb43d048a341a6a80f047a51
-
Filesize
368KB
MD522ad0710acdbcd72879bf22e19679a76
SHA1549b3f20dd2803c52ed8558bc82bf3c7a13b9c2f
SHA256522b0f628d0ffc164c896175694e9d4ba6aa3545f95d1bcc32d5e72413914f06
SHA5127210ee3fdd11108714dd0ceeeb14e677cebc61116c3711a55a2a121bc54989a9e6b3d67ee2573078e36a33bc2637eaba3d4b983acc15f67c667d4f74cc50ac2e