Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe
Resource
win10v2004-20241007-en
General
-
Target
7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe
-
Size
694KB
-
MD5
e75d4b8fdcc12dbcadea1b0b47cbd3dd
-
SHA1
4466d8e990ab6ca55e39acc22c8c1ad4377ac841
-
SHA256
7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4
-
SHA512
3451469e016ee6323b331010ac057a5c5b299722ea3695d078b8b613aa13533d35f2f0f8efa6a999f0d8c7cc3afbccfc59a56a95218b5ac0d7a3176c3a47280c
-
SSDEEP
12288:qy90eSIGz7Q2xHamQO304IPENr8XtMIlwrMaCqvlJRNg0tthHrYEeZWtkQ2iS7B:qyhGNamQO3dYEZ8XsYe3BrGASt/9
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4592-18-0x00000000047F0000-0x000000000480A000-memory.dmp healer behavioral1/memory/4592-20-0x0000000004AE0000-0x0000000004AF8000-memory.dmp healer behavioral1/memory/4592-36-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-44-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-48-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-46-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-42-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-40-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-38-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-34-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-32-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-31-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-29-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-27-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-24-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-22-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer behavioral1/memory/4592-21-0x0000000004AE0000-0x0000000004AF3000-memory.dmp healer -
Healer family
-
Processes:
53793158.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 53793158.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 53793158.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 53793158.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 53793158.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 53793158.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 53793158.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4244-60-0x0000000004770000-0x00000000047AC000-memory.dmp family_redline behavioral1/memory/4244-61-0x0000000007190000-0x00000000071CA000-memory.dmp family_redline behavioral1/memory/4244-73-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-75-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-95-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-93-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-92-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-89-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-87-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-85-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-83-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-81-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-79-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-77-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-71-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-69-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-67-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-65-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-63-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline behavioral1/memory/4244-62-0x0000000007190000-0x00000000071C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un482618.exe53793158.exerk320658.exepid Process 5000 un482618.exe 4592 53793158.exe 4244 rk320658.exe -
Processes:
53793158.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 53793158.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 53793158.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
un482618.exe7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un482618.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2152 4592 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exeun482618.exe53793158.exerk320658.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un482618.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53793158.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk320658.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
53793158.exepid Process 4592 53793158.exe 4592 53793158.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
53793158.exerk320658.exedescription pid Process Token: SeDebugPrivilege 4592 53793158.exe Token: SeDebugPrivilege 4244 rk320658.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exeun482618.exedescription pid Process procid_target PID 1000 wrote to memory of 5000 1000 7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe 85 PID 1000 wrote to memory of 5000 1000 7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe 85 PID 1000 wrote to memory of 5000 1000 7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe 85 PID 5000 wrote to memory of 4592 5000 un482618.exe 86 PID 5000 wrote to memory of 4592 5000 un482618.exe 86 PID 5000 wrote to memory of 4592 5000 un482618.exe 86 PID 5000 wrote to memory of 4244 5000 un482618.exe 100 PID 5000 wrote to memory of 4244 5000 un482618.exe 100 PID 5000 wrote to memory of 4244 5000 un482618.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe"C:\Users\Admin\AppData\Local\Temp\7452081f0b73bc075618151342460bc68926e6e529f8721e38780550edfa0bc4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482618.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482618.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53793158.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53793158.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 10844⤵
- Program crash
PID:2152
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk320658.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk320658.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 45921⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5c65bf75896e3f6923c0daf944a059017
SHA11afd2118ed8f8e3a9bd26ae6c9ae30891674d6f1
SHA256b0c1cc3a8f9df45370e463023c0ee2c639388bd3d19e7f76ba63b4f808fa3c28
SHA5129555921b9659fc51651c386776bc21b31667ea2934a4e029cf0e754fb7b5737f24648bc8438b4cd31adbf3d12815e831f72853665d6a06f872ce4da679f86d51
-
Filesize
258KB
MD576084ba1b90f376537fb4e7421e9edc0
SHA1c7653de743956300964b46e905bbd60705d586ba
SHA256c00021437ee70d7f124c2ed27b4c0ab99068bd55e22bf751f029eece6f4f3f12
SHA51258e693c2e38de2f959e41885f83e9ac1e5b5471a2e1523a79cabfc8ba0493a953c41fb475d01f5f92b3b5bb3bb637ad5d1edaf4563020cd4975c18181f7d1a20
-
Filesize
340KB
MD5e5206206bb376eb7b4064a25a2ce6054
SHA159df27fb8d45f8407472b19027a1c1416232aa40
SHA25684e16e59ee535b63c5e6950ee69d1d9a3e84819e9368597fe93c866775613b44
SHA51246432a01350a43b499deb16487528a5b8dc7d869c8af6a7032a0194238760532e184208ea3d088d1c5be34846c981081568ea0f4e6f7e9af058d0617cf1b53d9