Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe
Resource
win10v2004-20241007-en
General
-
Target
643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe
-
Size
707KB
-
MD5
9c158591fb17366bae84ae1b4c8819ca
-
SHA1
f293b1e4179bda38fee0f3114352e333181490ed
-
SHA256
643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74
-
SHA512
709f82af6ba675799821da06ac0aa548272fd885a61af212cc511e406b286aeef0249ae9b19c8910f406b421b8133c11ea326468830b3ef867c1077998cf519d
-
SSDEEP
12288:zy90T3LvYPt0q8tinaH1d+0pRe8X4T7tOYI6z/cl85qIv:zyU7vYKQkHr7X4E6p9v
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4768-18-0x0000000004B40000-0x0000000004B5A000-memory.dmp healer behavioral1/memory/4768-20-0x0000000004BD0000-0x0000000004BE8000-memory.dmp healer behavioral1/memory/4768-21-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-28-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-48-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-46-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-44-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-42-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-40-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-38-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-36-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-34-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-32-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-30-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-26-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-24-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/4768-22-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr620006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr620006.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr620006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr620006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr620006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr620006.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4688-60-0x0000000004B50000-0x0000000004B8C000-memory.dmp family_redline behavioral1/memory/4688-61-0x0000000007790000-0x00000000077CA000-memory.dmp family_redline behavioral1/memory/4688-81-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-83-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-95-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-93-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-91-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-89-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-87-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-85-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-79-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-77-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-76-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-73-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-71-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-69-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-67-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-65-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-63-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/4688-62-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4980 un176650.exe 4768 pr620006.exe 4688 qu365558.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr620006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr620006.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un176650.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3600 4768 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un176650.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr620006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu365558.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4768 pr620006.exe 4768 pr620006.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4768 pr620006.exe Token: SeDebugPrivilege 4688 qu365558.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2720 wrote to memory of 4980 2720 643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe 83 PID 2720 wrote to memory of 4980 2720 643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe 83 PID 2720 wrote to memory of 4980 2720 643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe 83 PID 4980 wrote to memory of 4768 4980 un176650.exe 84 PID 4980 wrote to memory of 4768 4980 un176650.exe 84 PID 4980 wrote to memory of 4768 4980 un176650.exe 84 PID 4980 wrote to memory of 4688 4980 un176650.exe 100 PID 4980 wrote to memory of 4688 4980 un176650.exe 100 PID 4980 wrote to memory of 4688 4980 un176650.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe"C:\Users\Admin\AppData\Local\Temp\643b209adc13c65bde61d0f89aea1b8a108e856521b0cdc989e96337dfc47e74.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un176650.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un176650.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr620006.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr620006.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 10804⤵
- Program crash
PID:3600
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu365558.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu365558.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4768 -ip 47681⤵PID:2336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD53f1555f14a7544362c9cebe9a6f0999e
SHA1d15f8407d5878c8bef56cb46f0cdd0e33c57f7c0
SHA256db449a0af5f5b4dfff3d7b1591bac9ec74d75594a8b47669e2279c7044924bba
SHA51282c8e5e6311935933347a9f59bb55091f68b809eb204d21be9d98d2dfb0045fa483b57e628e8e31cc0270dd3d908fe451d778a430a622597c3d878ad8a1403c6
-
Filesize
279KB
MD598aef32dab7969320808caf0ae19a50f
SHA1ba783cddb43fe829c1066f6acc468b7e51908086
SHA2564edb67a493dc851d73c61bd8082c36859b38bd3bd68d85b47e4d05637ab6916b
SHA512e93a39df8ec37a68416d6876b8793194cddcad64be55e633db7cdd58b744b301336cfb357c8d6a6434b838c387072d22b7eb218f6064c896a0707c6da9aafc17
-
Filesize
362KB
MD535bcbe71e732d0437e5720d2230c3a66
SHA14f34d3b33dc0434757ecb93cede85fe780f5dbb3
SHA256fc19f709145507089c0ae8663c1df9a972d56536cdf2cedf65cb2106addbc3d8
SHA5122997a8bbb4a0192f999102053e7f9dab89f8a0cbfa30e6232fffec60d4c0ab9178e986592bfe4e74960d43eb96938be5a321f71810053f81f93563933341eae2