Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe
Resource
win10v2004-20241007-en
General
-
Target
974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe
-
Size
696KB
-
MD5
309939e34ce44f7680958a7409f6dccb
-
SHA1
123a643a3d8c6ae1c006752f1ec7beb0b5a6d5d1
-
SHA256
974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d
-
SHA512
832451b327586d6bd38ca4945a49cf053804eba5f5b8c743b24f9cca2b5c28b7bd135553b67ff48742fa891e89f4768be4736958a5d9112cc7066c05ae2f5d3f
-
SSDEEP
12288:4y90CuuZk6QiE8ztYjrwBSlDTPni5SOv4Kc/mKYKDShBzEFTn1tsudVJrfRSB2Y:4yXuT6QiEKyjCSlPi5SOvdcloSRuuk
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4028-18-0x0000000004BC0000-0x0000000004BDA000-memory.dmp healer behavioral1/memory/4028-20-0x0000000007140000-0x0000000007158000-memory.dmp healer behavioral1/memory/4028-48-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-46-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-44-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-42-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-40-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-38-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-36-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-34-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-32-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-30-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-28-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-26-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-24-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-22-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/4028-21-0x0000000007140000-0x0000000007152000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr037066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr037066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr037066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr037066.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr037066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr037066.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4896-60-0x00000000049A0000-0x00000000049DC000-memory.dmp family_redline behavioral1/memory/4896-61-0x0000000004C50000-0x0000000004C8A000-memory.dmp family_redline behavioral1/memory/4896-65-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-71-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-95-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-93-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-91-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-89-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-87-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-85-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-83-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-81-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-79-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-77-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-75-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-73-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-69-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-67-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-63-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline behavioral1/memory/4896-62-0x0000000004C50000-0x0000000004C85000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3104 un772521.exe 4028 pr037066.exe 4896 qu521123.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr037066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr037066.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un772521.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3504 4028 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu521123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un772521.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr037066.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4028 pr037066.exe 4028 pr037066.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4028 pr037066.exe Token: SeDebugPrivilege 4896 qu521123.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1168 wrote to memory of 3104 1168 974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe 83 PID 1168 wrote to memory of 3104 1168 974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe 83 PID 1168 wrote to memory of 3104 1168 974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe 83 PID 3104 wrote to memory of 4028 3104 un772521.exe 84 PID 3104 wrote to memory of 4028 3104 un772521.exe 84 PID 3104 wrote to memory of 4028 3104 un772521.exe 84 PID 3104 wrote to memory of 4896 3104 un772521.exe 96 PID 3104 wrote to memory of 4896 3104 un772521.exe 96 PID 3104 wrote to memory of 4896 3104 un772521.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe"C:\Users\Admin\AppData\Local\Temp\974179c039d9a6147125e32791453a673f59bab9c78b1c45b947428c4bcbcb3d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772521.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772521.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr037066.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr037066.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 10804⤵
- Program crash
PID:3504
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu521123.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu521123.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4028 -ip 40281⤵PID:1832
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
542KB
MD59cb1dc8eeb51c4c3c61928fa213c6714
SHA1e8a5f3322602134620f2163cd04772f4833cbe92
SHA25620296bc2f11ee9ce322e6e7b95b1704b01072c749e90bfc3484103bd25eea075
SHA5126ac495114c86a1d2c2e7fb43c1666d1be0e4c07cdb78bc2ae0ea9b4d9296f9a12e1f24421040c8333506dc1ff1316f3f2664d31913efe24a8103004a598ec7a2
-
Filesize
270KB
MD5e5c05386cf2ef6075305fe1d8e7a1386
SHA19c63ceae8cd9e9af73adea42486291274b0763af
SHA25640ff2407e0d3739c4d1f064d89259fe6ce3cbd7c9ed1c55ee19ca96fec72f6a9
SHA5127995b17e885e474a1a311979d3537c77910c221614d703bb662f6a85fc833b33d32645f739c50b4ed51339204f17d03e98e94f360532b2e7d94a8becc22923c3
-
Filesize
353KB
MD5ced15185bcc6faf420bdfc9a9c9ea18a
SHA1ad48d31755274793d18af6bc838b4e5fdcda2a95
SHA256c0bce2281a8f3a6525dced113ea08876e26a9e282d49db3cbf83403930658fd4
SHA51259d0a7d429eac1a7f5b4cfe8fd0955e84b0f03f71c680e83d596f7794a6cc8831e5307c3089f2fe93fcf95cc5cf6361312ecd93b92ad31a63590c001aacc30f1