Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe
Resource
win10v2004-20241007-en
General
-
Target
f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe
-
Size
479KB
-
MD5
2620c27f4eb61df0874ec57aa6fa115f
-
SHA1
94650e3ab39743ba203cc4cd97dac7406ef468d7
-
SHA256
f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d
-
SHA512
175c5b24a36ae85ed0035f067bc72d23e7f5f47a3b42c392aa74b3f7c5e3bd1032e106ffcf0264a1367e6e481fde3a107a7953413162c3bd055785189205d5d5
-
SSDEEP
12288:RMrby90xQjj9md/NMr5cXOi0lazZamg2:yyOQjjW/NGcXOroZ
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/528-15-0x00000000023B0000-0x00000000023CA000-memory.dmp healer behavioral1/memory/528-19-0x0000000002440000-0x0000000002458000-memory.dmp healer behavioral1/memory/528-43-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-47-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-45-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-41-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-39-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-37-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-35-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-33-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-31-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-29-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-27-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-25-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-23-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-21-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral1/memory/528-20-0x0000000002440000-0x0000000002452000-memory.dmp healer -
Healer family
-
Processes:
a7253491.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7253491.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a7253491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7253491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7253491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7253491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7253491.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6222129.exe family_redline behavioral1/memory/4424-55-0x0000000000AC0000-0x0000000000AE8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
v4016258.exea7253491.exeb6222129.exepid process 4576 v4016258.exe 528 a7253491.exe 4424 b6222129.exe -
Processes:
a7253491.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a7253491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a7253491.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exev4016258.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4016258.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a7253491.exeb6222129.exef14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exev4016258.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7253491.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6222129.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4016258.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a7253491.exepid process 528 a7253491.exe 528 a7253491.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a7253491.exedescription pid process Token: SeDebugPrivilege 528 a7253491.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exev4016258.exedescription pid process target process PID 4756 wrote to memory of 4576 4756 f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe v4016258.exe PID 4756 wrote to memory of 4576 4756 f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe v4016258.exe PID 4756 wrote to memory of 4576 4756 f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe v4016258.exe PID 4576 wrote to memory of 528 4576 v4016258.exe a7253491.exe PID 4576 wrote to memory of 528 4576 v4016258.exe a7253491.exe PID 4576 wrote to memory of 528 4576 v4016258.exe a7253491.exe PID 4576 wrote to memory of 4424 4576 v4016258.exe b6222129.exe PID 4576 wrote to memory of 4424 4576 v4016258.exe b6222129.exe PID 4576 wrote to memory of 4424 4576 v4016258.exe b6222129.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe"C:\Users\Admin\AppData\Local\Temp\f14639d64b4666d95ebfadc7e1aad1e4e93d44d959fbdfcf7595754155796e9d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4016258.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4016258.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7253491.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7253491.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6222129.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6222129.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD58b2bf3e1652aff63e4d22d6dd6c25087
SHA1f08b5ab3149468a403e555310ec8862e504ccea6
SHA256114257f2d1ae1d88af20672d688d7ec470f95f93d8a951973a01c588debe07ee
SHA5121c5dacb380045f320a9ed3d296b1771e1318b58668b39759540f21552ae7fe9f7e7fc0dc3409fd56b1976dc2271eaa4589f9c2164265b5a52994df7b3782960d
-
Filesize
175KB
MD5197d1afe8075c7d4011214ffac8d57ca
SHA12d513299f850c88625e2637f4af793348b315aa0
SHA256af5ad3b5ba589dab8b64055a378c9b9c6289c371f99fbe8ee8e1e9f24b147ee2
SHA512e7df23746eb313000a8ac4e260bda08dd427e05997a33121a9750662e8668112dc0d93e1e5a873bbf24b47edefc43a8f9b3360cc0eb38b47f632825c7582018f
-
Filesize
136KB
MD5a496b7590e9b479fdbd48cfdb646ce98
SHA16b05a192bd67dda1f380e145b8bae864126252a8
SHA2563e81fa71814a0d5f2fbf24b10cbbdb6d630e00a6d1385b7d205d7e6eda3b8e25
SHA512bea3211487ff72e14553fa8d7970406e40a447326cd2c6a7e68553837593547cfdb325d5174b200715913ed54af747e8e012fbca53656ada205fafd205c97a3b