Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe
Resource
win10v2004-20241007-en
General
-
Target
82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe
-
Size
480KB
-
MD5
43b711737890e8b32478390a94d651ee
-
SHA1
73dfc6228a32a6c11a3b3b97a2c4602c318a6d32
-
SHA256
82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b
-
SHA512
25fdc9980995f8a00426edd16854fb7eca4bd4637bbbf4233dc32785419d21c1eeb24af95e09ed5b58b616124959420ca2ba36f0b5f0ce936d8fcc88f684b33b
-
SSDEEP
12288:JMrhy909sJqa9F4LEDjCEPvKQenP4hdWOLDLUyy4:Yy67aYLmCWviCZDLUm
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4448-15-0x00000000023F0000-0x000000000240A000-memory.dmp healer behavioral1/memory/4448-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/4448-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4448-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
Processes:
k4481314.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4481314.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4481314.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4481314.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4481314.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4481314.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4481314.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7636927.exe family_redline behavioral1/memory/3136-56-0x0000000000ED0000-0x0000000000EF8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
y0670110.exek4481314.exel7636927.exepid process 5032 y0670110.exe 4448 k4481314.exe 3136 l7636927.exe -
Processes:
k4481314.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4481314.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4481314.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exey0670110.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0670110.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exey0670110.exek4481314.exel7636927.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0670110.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k4481314.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l7636927.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
k4481314.exepid process 4448 k4481314.exe 4448 k4481314.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
k4481314.exedescription pid process Token: SeDebugPrivilege 4448 k4481314.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exey0670110.exedescription pid process target process PID 4648 wrote to memory of 5032 4648 82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe y0670110.exe PID 4648 wrote to memory of 5032 4648 82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe y0670110.exe PID 4648 wrote to memory of 5032 4648 82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe y0670110.exe PID 5032 wrote to memory of 4448 5032 y0670110.exe k4481314.exe PID 5032 wrote to memory of 4448 5032 y0670110.exe k4481314.exe PID 5032 wrote to memory of 4448 5032 y0670110.exe k4481314.exe PID 5032 wrote to memory of 3136 5032 y0670110.exe l7636927.exe PID 5032 wrote to memory of 3136 5032 y0670110.exe l7636927.exe PID 5032 wrote to memory of 3136 5032 y0670110.exe l7636927.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe"C:\Users\Admin\AppData\Local\Temp\82b31d393153b2f47d9e7ed44d9d61943a98478062daace89a7ded14cab6da3b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0670110.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0670110.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4481314.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4481314.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7636927.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7636927.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5c3fa2d0d717ac45cb2a29621d0861b03
SHA192b2caa17b1de587131039297dc9c27e24f128f0
SHA256afd7c5efec0d1a8c660642759dc1b16d902e7edb97c637b263871ecb49f64d42
SHA512d8f15e29279b0cc7e4dc5989967e07aaaa6419a9399420d68696dc06d19e0990dba2daa3fa0180d7e1dd816ac4846c82d6641df22ebc74507b20724896a1defe
-
Filesize
175KB
MD5ba2004d0f8427485e672ac607c9874f4
SHA18b9fd4040f5d74e106c8e3cb16fe6956951929df
SHA256796a305eb569ad3632153acd4352173937cca11d5ededa1ae208f386b5c78d84
SHA512644bdf807a73f7e1fedeeda48273d737d954c149cf7fc3d6a33c2fd212c88cf74fd4a71f855096049f5c416c810789fb670e7521f77d77d937d6ef96c4aa5c1b
-
Filesize
136KB
MD5baced8ac7fcd7922cb9fac0d54da33b4
SHA120b7db9150687cc1fcfbf534c6d7d519a7e399cc
SHA256287e4f73c0b8881040446d3054c8220d23b1bcd6f7ad37c7ffd1c389a4f8b215
SHA51259190b14619c6f5a22358fdd77f41279c045f743ac4d7961f0df8f9c5c82343409856397409e7dd5ae8ffc8d0cd9fe3369b8d30eacf4501ad9f900fd431b2187