Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe
Resource
win10v2004-20241007-en
General
-
Target
4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe
-
Size
1.0MB
-
MD5
a4a761bbbe236424c0f5679dc669c1da
-
SHA1
57620fe2dc503b26ee2499f6f9bf55c64c7a4167
-
SHA256
4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a
-
SHA512
1c0d866592ea86933827d7fd4661e6b5a04134c3176ec78be5fff32e1836cf1502b5da0d610c571a91079b60b18a185e125d03593fe46523906f8ae20a6a3c89
-
SSDEEP
24576:nyqPeXFiGioM9czm2/aSOZFppqFLzJ4bRk:yRFEoMDSMX
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3820-23-0x00000000027E0000-0x00000000027FA000-memory.dmp healer behavioral1/memory/3820-25-0x0000000004DA0000-0x0000000004DB8000-memory.dmp healer behavioral1/memory/3820-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-53-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-52-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3820-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer -
Healer family
-
Processes:
pr489644.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr489644.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr489644.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr489644.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr489644.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr489644.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr489644.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3600-62-0x00000000025E0000-0x000000000261C000-memory.dmp family_redline behavioral1/memory/3600-63-0x0000000002AF0000-0x0000000002B2A000-memory.dmp family_redline behavioral1/memory/3600-73-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-83-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-97-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-95-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-93-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-91-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-89-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-87-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-85-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-81-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-79-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-77-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-75-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-71-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-69-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-67-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-65-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline behavioral1/memory/3600-64-0x0000000002AF0000-0x0000000002B25000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
un993681.exeun727065.exepr489644.exequ511123.exepid process 2304 un993681.exe 2064 un727065.exe 3820 pr489644.exe 3600 qu511123.exe -
Processes:
pr489644.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr489644.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr489644.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exeun993681.exeun727065.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un993681.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un727065.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1728 3820 WerFault.exe pr489644.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exeun993681.exeun727065.exepr489644.exequ511123.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un993681.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un727065.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr489644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu511123.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr489644.exepid process 3820 pr489644.exe 3820 pr489644.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr489644.exequ511123.exedescription pid process Token: SeDebugPrivilege 3820 pr489644.exe Token: SeDebugPrivilege 3600 qu511123.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exeun993681.exeun727065.exedescription pid process target process PID 4036 wrote to memory of 2304 4036 4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe un993681.exe PID 4036 wrote to memory of 2304 4036 4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe un993681.exe PID 4036 wrote to memory of 2304 4036 4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe un993681.exe PID 2304 wrote to memory of 2064 2304 un993681.exe un727065.exe PID 2304 wrote to memory of 2064 2304 un993681.exe un727065.exe PID 2304 wrote to memory of 2064 2304 un993681.exe un727065.exe PID 2064 wrote to memory of 3820 2064 un727065.exe pr489644.exe PID 2064 wrote to memory of 3820 2064 un727065.exe pr489644.exe PID 2064 wrote to memory of 3820 2064 un727065.exe pr489644.exe PID 2064 wrote to memory of 3600 2064 un727065.exe qu511123.exe PID 2064 wrote to memory of 3600 2064 un727065.exe qu511123.exe PID 2064 wrote to memory of 3600 2064 un727065.exe qu511123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe"C:\Users\Admin\AppData\Local\Temp\4eea796403a7698011eb87b98fa7c56b8f93ec607f869a69ac7211a77f9aec8a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993681.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993681.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un727065.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un727065.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr489644.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr489644.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 11045⤵
- Program crash
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu511123.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu511123.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3820 -ip 38201⤵PID:3288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
752KB
MD56a422bba2e16f0acca262e15c46dedd9
SHA13b4ca1dcc908d296c131de9ea30358d970e6159f
SHA256cdf3656bd2367a220f92173a0eb98989c2a61349daa7753914b3c3e9f22be91d
SHA512319973f8d62a48b3ebd73dad6590523e39dd90875c6f59e21f9111c2811572c672c9deb11e214474a1f62070148c06cf8b1e2cf10e78d315123b63e98b5c8b47
-
Filesize
598KB
MD51c3fdf66079552513a8bd50e5b8fd222
SHA1b8e91b67d39313c7be38cae599ed06f0023be6b4
SHA2567baf5398b8fc6998eac833f1e92aa62549e5f392c19fd64a50dde8797ce691e0
SHA51290ab46ab40d59b5f515c5785252a2db014deab5f74ab8f85cd4542d0d39bd25d98f766fd9f197db63daf8572ce9a2c82135c554683114af97dd22a744a7739d8
-
Filesize
391KB
MD5e59db60ae8a0857c5432ed0a81fb3eef
SHA185ea5658ff34c38c8feff0e44ec019bf8fc5b6ab
SHA2563c67481fd03c0b729660540da51733da753c5d3eb04f773f967ec1254554fd74
SHA512c405ea12036d978dd1145e76a2ab71fe13de248c18b87af43bfae409df6249b3225ac9f4de389d237e1f4858e2c9f9a9deefc5a609417cf37dbff7d929913f5f
-
Filesize
474KB
MD5f435620500c096f2ce19cc2ea6e5021c
SHA1c0e2f9d049d0167968a08184b3f08f6ab238b5eb
SHA256ad4b33ab6a8b5d8bfbc7e1698c0b6a768053e3f068fa27e9fd8532731ab79ba4
SHA51260402edfc661d3d02274961258a3b8cc9acfb35945601428f7457dab02293bf4f75783e1833b010cf8b0e1e174dd87f76fb9947e6ca67b16493d78da1aee97f0