Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe
Resource
win10v2004-20241007-en
General
-
Target
306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe
-
Size
697KB
-
MD5
7cdaf3891ba1c064b6600038eac7e8bb
-
SHA1
f020fadd69c223e97f9c1c6f796303108dbce9e9
-
SHA256
306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c
-
SHA512
bd3e821c2ed19952922086c16ad0c72edde5fcd82b8c3dac3ead2edf74eab4c2712c325456f276b0011185e4991e7d8211896ea8b91b42b0668c8aef4debe455
-
SSDEEP
12288:Sy90xXSiNGWPBtwmUeCunQDoZ5Dzz74oBHgKkW5r84gjlnRDnwA:Sy2xNXZtxPQDo3XzVBAKkWp84gjlnRDz
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4664-18-0x0000000004880000-0x000000000489A000-memory.dmp healer behavioral1/memory/4664-20-0x0000000004C30000-0x0000000004C48000-memory.dmp healer behavioral1/memory/4664-46-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-48-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-44-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-42-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-41-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-38-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-37-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-34-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-26-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-32-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-30-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-28-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-24-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-22-0x0000000004C30000-0x0000000004C43000-memory.dmp healer behavioral1/memory/4664-21-0x0000000004C30000-0x0000000004C43000-memory.dmp healer -
Healer family
-
Processes:
70066856.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 70066856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 70066856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 70066856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 70066856.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 70066856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 70066856.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3436-60-0x0000000004A40000-0x0000000004A7C000-memory.dmp family_redline behavioral1/memory/3436-61-0x0000000007760000-0x000000000779A000-memory.dmp family_redline behavioral1/memory/3436-73-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-77-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-95-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-93-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-91-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-87-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-85-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-83-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-81-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-79-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-75-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-71-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-69-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-89-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-67-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-65-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-63-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/3436-62-0x0000000007760000-0x0000000007795000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un839051.exe70066856.exerk425345.exepid process 4452 un839051.exe 4664 70066856.exe 3436 rk425345.exe -
Processes:
70066856.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 70066856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 70066856.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exeun839051.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un839051.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3100 4664 WerFault.exe 70066856.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exeun839051.exe70066856.exerk425345.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un839051.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70066856.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk425345.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
70066856.exepid process 4664 70066856.exe 4664 70066856.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
70066856.exerk425345.exedescription pid process Token: SeDebugPrivilege 4664 70066856.exe Token: SeDebugPrivilege 3436 rk425345.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exeun839051.exedescription pid process target process PID 1648 wrote to memory of 4452 1648 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe un839051.exe PID 1648 wrote to memory of 4452 1648 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe un839051.exe PID 1648 wrote to memory of 4452 1648 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe un839051.exe PID 4452 wrote to memory of 4664 4452 un839051.exe 70066856.exe PID 4452 wrote to memory of 4664 4452 un839051.exe 70066856.exe PID 4452 wrote to memory of 4664 4452 un839051.exe 70066856.exe PID 4452 wrote to memory of 3436 4452 un839051.exe rk425345.exe PID 4452 wrote to memory of 3436 4452 un839051.exe rk425345.exe PID 4452 wrote to memory of 3436 4452 un839051.exe rk425345.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe"C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10804⤵
- Program crash
PID:3100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 46641⤵PID:1736
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
543KB
MD5a816665649e8b31563038aab9464c6da
SHA1a113ecef58936c2088e5b106cba26d267592bf23
SHA2560b98a3d0a64632829d59796035197460f674dc1ded9cf8c536b597ea90556dbb
SHA512011f42de856849dfb0b856743d557f63005ce8daa27717b55e1a2488b8e9193a5ecd6b7fdbe2e201d7871c3417fca120946ff7805bdf865e4650293ffbde52fe
-
Filesize
265KB
MD58ec563df95566e56d6784a8e9bdb04d8
SHA1547d38be6d52cd23baa1e86231f9ded7186dc1af
SHA2566a2585cdd649bb863a04f967a955974677abd545e7dfc8a1bfedfa8759fb490a
SHA512b8b9b4b9be6df8f462d1641295a9d6d679128713f9388233570aea31ae6a18402aa2ed8043c68e0b112ded39162f24469a1a903271c7f34cc81d71ae8ea7e9c9
-
Filesize
347KB
MD5a2bc961c8491d30c1e308fd1fc4cc7d7
SHA1e6e365d715882b08ae649031b861b9519b25b4ca
SHA25616116788d2c4eb69910c5f3ec7cbe2fdbb933ddbbef7699f408d56c7db5688af
SHA5125093abe741ec3f4eac8534014770526c403f812450d446a6a9cd86343ab138362c63dfc49be0bbe7cc553726a5a69de20d12ae54179168e0876061675b53b860