Analysis
-
max time kernel
113s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe
Resource
win10v2004-20241007-en
General
-
Target
971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe
-
Size
592KB
-
MD5
e50fb0c2365432a431fcd419e515cba0
-
SHA1
96edb5cfbaabc9aaccb30bc94ae3ac110f9c7aff
-
SHA256
971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56
-
SHA512
86154ced8c5ea643a0025fce073d8d568ce0a54f6b643febb06fa40d0f4a13d6717f2f30840b59d1f505c6c522ce64a165d524795aed47721ac240640831328d
-
SSDEEP
12288:qy90mc1lBHnlTwbsV2nm9Pbiaj01D8Ni51BdVWiimq99JQBtCXs+lPJ:qyxasbsV2nmxiaIJ8AdwiMwCXflPJ
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1452-12-0x0000000002520000-0x000000000253A000-memory.dmp healer behavioral1/memory/1452-14-0x0000000002980000-0x0000000002998000-memory.dmp healer behavioral1/memory/1452-42-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-40-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-38-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-36-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-34-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-32-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-30-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-28-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-26-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-24-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-22-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-20-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-18-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-16-0x0000000002980000-0x0000000002992000-memory.dmp healer behavioral1/memory/1452-15-0x0000000002980000-0x0000000002992000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 48443934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 48443934.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 48443934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 48443934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 48443934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 48443934.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/748-56-0x0000000004E10000-0x0000000004E4A000-memory.dmp family_redline behavioral1/memory/748-54-0x0000000002600000-0x000000000263C000-memory.dmp family_redline behavioral1/memory/748-90-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-88-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-86-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-84-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-82-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-80-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-78-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-76-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-74-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-72-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-70-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-68-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-66-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-64-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-62-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-60-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-58-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/748-57-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1452 48443934.exe 748 rk597443.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 48443934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 48443934.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3784 1452 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48443934.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk597443.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1452 48443934.exe 1452 48443934.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1452 48443934.exe Token: SeDebugPrivilege 748 rk597443.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3204 wrote to memory of 1452 3204 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe 84 PID 3204 wrote to memory of 1452 3204 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe 84 PID 3204 wrote to memory of 1452 3204 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe 84 PID 3204 wrote to memory of 748 3204 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe 94 PID 3204 wrote to memory of 748 3204 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe 94 PID 3204 wrote to memory of 748 3204 971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe"C:\Users\Admin\AppData\Local\Temp\971d0830fabe90b715379e23601a677d712294dd25fd4ac4bcb377e6941f0a56N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\48443934.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\48443934.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 10803⤵
- Program crash
PID:3784
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk597443.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk597443.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1452 -ip 14521⤵PID:5028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376KB
MD521f5ad9bd10b8e837562b0d7073166da
SHA1543050be2b85d33e5111ad2de4f120c57764c0ef
SHA25651c4b80e9d6f3f43307978c50f5ea560c13117d242ef75c65b35e09b09d32135
SHA5129546220e8050f33ab3ac6c78786c780bcbe2fd8eb7fbf470faf59d356a13eec76d3ef3ca95c63994c39d760de463b859e23841260818db225c495f9f39d79519
-
Filesize
459KB
MD5f425ee4a48c070c5ca905260f1ac4d96
SHA175d127f195cdedff62137d586ee000f72c2b5f1e
SHA256223c46824efbdf487ef317b719c78eb0b6a5cc25194bec4370ec5a322441fa91
SHA5125d4a64f3c2b2f8969db17a59a25c39d995d11bd0416a25ae8ce245f9d636e44841f1e28c67ed5565565651368fabc55b7c7b25e0dfbfd4ddf35c81dfb12bdfe3