Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe
Resource
win10v2004-20241007-en
General
-
Target
199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe
-
Size
745KB
-
MD5
254b95134bf1d7829756650efaad4358
-
SHA1
05fd3ffa1e7e4712528680f24e8940695305c6f0
-
SHA256
199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1
-
SHA512
6e868c15f3f15e93972d1d4d7124a020e5f0c83edaede84edff6511e4191bd427b8c0d2448054e473e473ea2a57b42462af7c72f15e4c33205db0b2f2d3469d4
-
SSDEEP
12288:ay90wJroEVTB8NYkXHG1Qv6dYVJGZmLsUhgQUu13TdGBVBT9ERv5L0qIfWan:ayproEVT9kX/vffPt1jAVaRxtQn
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4184-19-0x0000000002760000-0x000000000277A000-memory.dmp healer behavioral1/memory/4184-21-0x0000000002840000-0x0000000002858000-memory.dmp healer behavioral1/memory/4184-49-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-47-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-45-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-43-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-41-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-39-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-37-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-35-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-33-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-31-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-29-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-27-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-25-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-23-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4184-22-0x0000000002840000-0x0000000002852000-memory.dmp healer -
Healer family
-
Processes:
83277377.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 83277377.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 83277377.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 83277377.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 83277377.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 83277377.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 83277377.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4820-60-0x0000000004D10000-0x0000000004D4C000-memory.dmp family_redline behavioral1/memory/4820-61-0x00000000053B0000-0x00000000053EA000-memory.dmp family_redline behavioral1/memory/4820-62-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-75-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-95-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-93-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-91-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-89-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-87-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-85-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-83-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-81-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-79-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-77-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-73-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-71-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-69-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-67-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-65-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline behavioral1/memory/4820-63-0x00000000053B0000-0x00000000053E5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un566218.exe83277377.exerk199717.exepid process 4764 un566218.exe 4184 83277377.exe 4820 rk199717.exe -
Processes:
83277377.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 83277377.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 83277377.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exeun566218.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un566218.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3088 4184 WerFault.exe 83277377.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exeun566218.exe83277377.exerk199717.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un566218.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83277377.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk199717.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
83277377.exepid process 4184 83277377.exe 4184 83277377.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
83277377.exerk199717.exedescription pid process Token: SeDebugPrivilege 4184 83277377.exe Token: SeDebugPrivilege 4820 rk199717.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exeun566218.exedescription pid process target process PID 3428 wrote to memory of 4764 3428 199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe un566218.exe PID 3428 wrote to memory of 4764 3428 199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe un566218.exe PID 3428 wrote to memory of 4764 3428 199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe un566218.exe PID 4764 wrote to memory of 4184 4764 un566218.exe 83277377.exe PID 4764 wrote to memory of 4184 4764 un566218.exe 83277377.exe PID 4764 wrote to memory of 4184 4764 un566218.exe 83277377.exe PID 4764 wrote to memory of 4820 4764 un566218.exe rk199717.exe PID 4764 wrote to memory of 4820 4764 un566218.exe rk199717.exe PID 4764 wrote to memory of 4820 4764 un566218.exe rk199717.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe"C:\Users\Admin\AppData\Local\Temp\199c82537e4325aa9351d6647168b0e65af8abc6735595d7ccc5b0a018093ce1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un566218.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un566218.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\83277377.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\83277377.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 10484⤵
- Program crash
PID:3088
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk199717.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk199717.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4184 -ip 41841⤵PID:2940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
591KB
MD5ae2e8f759408c410e2347b43007d17ef
SHA1331840886c1d617560d7343b75f1fc0e42690714
SHA256556e233d20f5e9a90d9c8e0315721b06f5f9151189f0813d08129b50fc3fcfbd
SHA51238d6209cb7516e9b6aa8c83122a8d03533799b6373c3a5ac131a8bad0bb2896f1e95a09e3070f7064011679d2c7d60a9827d426fb640081ba3ec083db2e7e75d
-
Filesize
377KB
MD5f8a8914ab5c02581caddfef602c54250
SHA1296eb611d900bf94b958e5426dc918414542db17
SHA2569566c7b7ca5ebb2a92214312ac0d76f0dd4fb412dce161105c38ddd65249aa52
SHA512fe2d72856f45c7c2d85b4f31d42d0bc81c414afd809da449a8bcdb515e178c1fda74e7394e7dab8013969069a4ab95a57d9173e447c38624619a42d8759b343c
-
Filesize
461KB
MD519b12aa5787642e1e179ddd07cda9d19
SHA1827a387312344fdd1afda5f5f6d2da4ecfce311d
SHA2566748303adaeef890a8d259895df64b1dbcb4ee4738862fe36fe037110d918cc7
SHA512dda89b0603c30a2c498ec8f04762864d727079d32b1f3ee62717c715ae133f5b647fb8aead4693b9909342e18b3bb9301c5b64670b65d9783d13ec626c65bd4b