Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe
Resource
win10v2004-20241007-en
General
-
Target
479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe
-
Size
701KB
-
MD5
67446d2a011827c1a4b04aee56e3891b
-
SHA1
54efb24003bcf2f68cd0ce6bc983d2be73426947
-
SHA256
479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da
-
SHA512
c3522129a8125c161a151f86d80df119908dcb15b9f4f661f940c931391fb8ea3d0243f6bf119549b613de3fe5c1f7b2bec8264acbf237482cf636519c16bd11
-
SSDEEP
12288:Dy90l5em2UNGtvak4ULYHM33L8EG2/o9waqQFbGprQ9bt825Y:DyOem2UNELYHM3pGLwtEcUpj5Y
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3688-18-0x0000000004AC0000-0x0000000004ADA000-memory.dmp healer behavioral1/memory/3688-20-0x0000000004F20000-0x0000000004F38000-memory.dmp healer behavioral1/memory/3688-21-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-46-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-44-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-42-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-40-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-38-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-37-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-34-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-33-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-48-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-30-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-28-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-26-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-24-0x0000000004F20000-0x0000000004F32000-memory.dmp healer behavioral1/memory/3688-22-0x0000000004F20000-0x0000000004F32000-memory.dmp healer -
Healer family
-
Processes:
02170913.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 02170913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 02170913.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 02170913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 02170913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 02170913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 02170913.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/956-60-0x0000000007180000-0x00000000071BC000-memory.dmp family_redline behavioral1/memory/956-61-0x00000000077E0000-0x000000000781A000-memory.dmp family_redline behavioral1/memory/956-87-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-95-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-93-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-91-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-89-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-85-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-83-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-81-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-79-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-77-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-75-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-73-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-69-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-67-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-66-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-71-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-63-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/956-62-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un667618.exe02170913.exerk469242.exepid process 3244 un667618.exe 3688 02170913.exe 956 rk469242.exe -
Processes:
02170913.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 02170913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 02170913.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exeun667618.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un667618.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4812 3688 WerFault.exe 02170913.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rk469242.exe479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exeun667618.exe02170913.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk469242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un667618.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02170913.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
02170913.exepid process 3688 02170913.exe 3688 02170913.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
02170913.exerk469242.exedescription pid process Token: SeDebugPrivilege 3688 02170913.exe Token: SeDebugPrivilege 956 rk469242.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exeun667618.exedescription pid process target process PID 1076 wrote to memory of 3244 1076 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe un667618.exe PID 1076 wrote to memory of 3244 1076 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe un667618.exe PID 1076 wrote to memory of 3244 1076 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe un667618.exe PID 3244 wrote to memory of 3688 3244 un667618.exe 02170913.exe PID 3244 wrote to memory of 3688 3244 un667618.exe 02170913.exe PID 3244 wrote to memory of 3688 3244 un667618.exe 02170913.exe PID 3244 wrote to memory of 956 3244 un667618.exe rk469242.exe PID 3244 wrote to memory of 956 3244 un667618.exe rk469242.exe PID 3244 wrote to memory of 956 3244 un667618.exe rk469242.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe"C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 10804⤵
- Program crash
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3688 -ip 36881⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5f6828c152c21cfcdfd572d03d2e901e8
SHA13911590ba4c5c5351cf96fed746e1abd9c462161
SHA2565a391db9a5dc9f37a0561df2ac04bc2208b0a287d34ccecba1bf95cf6badcb40
SHA512e6d732d313845833cf0c8d63d3c814b7bdc9c9bf2eb3264e1f836d2b4c539792b2a036b5e0bcf1714eaf75872ae14fff07c38176b994fb566a02b3b1152e90af
-
Filesize
269KB
MD58f269d1887866c15a539a3d99424f835
SHA1d219c881df5ec78d07dac6a9db134a7f877880fb
SHA256c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04
SHA5122866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3
-
Filesize
353KB
MD5778dc79ee53274c98fe7a1637513505e
SHA14f7cbde5eb5ff2de0c3ff192bc797a15095c7e80
SHA256a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e
SHA512602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2