Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:55
Static task
static1
Behavioral task
behavioral1
Sample
4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe
Resource
win10v2004-20241007-en
General
-
Target
4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe
-
Size
690KB
-
MD5
1ff58e7dca01b61354749d536409e62c
-
SHA1
8e91157354d2542906611179bbd5a03b789ab586
-
SHA256
4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3
-
SHA512
eb9427ef72202b7e19e849226c2a8cd2f452ae62d41a9972fb97e634ab88c0c8b4500d2d2a98674054ebfed40483938579d9f8ffdf8834e046c687fcd02afab5
-
SSDEEP
12288:iy90Fch38SE7zdT4hakjFX0Rn7NQpvNXCl0O4W2zmXNv76Oear:iyVhMSQGLjFX6OXCn2ziNThr
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4064-19-0x0000000002450000-0x000000000246A000-memory.dmp healer behavioral1/memory/4064-21-0x0000000004B30000-0x0000000004B48000-memory.dmp healer behavioral1/memory/4064-41-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-37-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-49-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-47-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-45-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-43-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-35-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-33-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-31-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-29-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-27-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-25-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-23-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-39-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/4064-22-0x0000000004B30000-0x0000000004B43000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 46441296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 46441296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 46441296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 46441296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 46441296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 46441296.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2932-60-0x0000000002390000-0x00000000023CC000-memory.dmp family_redline behavioral1/memory/2932-61-0x0000000004A60000-0x0000000004A9A000-memory.dmp family_redline behavioral1/memory/2932-71-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-69-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-93-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-67-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-65-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-63-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-62-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-95-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-91-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-89-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-87-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-85-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-84-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-81-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-79-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-77-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-75-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/2932-73-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 460 un575264.exe 4064 46441296.exe 2932 rk177987.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 46441296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 46441296.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un575264.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4692 4064 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un575264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46441296.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk177987.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4064 46441296.exe 4064 46441296.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4064 46441296.exe Token: SeDebugPrivilege 2932 rk177987.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3928 wrote to memory of 460 3928 4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe 83 PID 3928 wrote to memory of 460 3928 4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe 83 PID 3928 wrote to memory of 460 3928 4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe 83 PID 460 wrote to memory of 4064 460 un575264.exe 84 PID 460 wrote to memory of 4064 460 un575264.exe 84 PID 460 wrote to memory of 4064 460 un575264.exe 84 PID 460 wrote to memory of 2932 460 un575264.exe 95 PID 460 wrote to memory of 2932 460 un575264.exe 95 PID 460 wrote to memory of 2932 460 un575264.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe"C:\Users\Admin\AppData\Local\Temp\4f7441df9e3ed28811914e4b41dd124f9effd8f9caba190ed7e8a1dd34f9e7c3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575264.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575264.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\46441296.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\46441296.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 10804⤵
- Program crash
PID:4692
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk177987.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk177987.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4064 -ip 40641⤵PID:3128
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD58bc9a0c33ba62eade1dfe4bc0dab775b
SHA110e04da924c11853ae4010d00d42d491f80e353c
SHA25683c819a89fa60fd7f7d47141e75761f0052fc09b6afebca07ef8b4f926654797
SHA51266562d71db6f6f799a9f4aaef5b9c8eb529f10f2655661aca88314b9beedc8c8ad96fa0984800c30b1a31c05367012194331c47e773b8e62337c7e6b74ffc4d8
-
Filesize
259KB
MD51bce6e12fa59d9b7862839af5323b64e
SHA1d97d11c6e014d2cd186efc7305f5d466c05b0455
SHA256ecf69fce5d4237acbb1993ea98d9524ee5f11d9f850887fd9500b9c367289486
SHA512075bc362e31e0b3fefb8be40c29e2653415858072c417f1e3ca063374d299d1c179cfff1e5b1a6c5e55dbfc6b18634f5e401ac50f4af02793f332d626f8f233c
-
Filesize
341KB
MD5924ea1ae46ce00882639062af86d8055
SHA15680e1f4669fb53cb7a182a925553647c0a2b558
SHA256eb6a9d78fd0315558526b22c7195dc38646a28faefadffb7547b7a1746834b0a
SHA5122bb9f5ad0519fb06cb6cdc3f12c2cae0f325858e6d6550f5e17b5917fa37ce6f6f16d2868ab5690a06294a74c19228b843eacace6d457f104932b1905553e33a