Analysis
-
max time kernel
113s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe
Resource
win10v2004-20241007-en
General
-
Target
914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe
-
Size
691KB
-
MD5
5ade24dcaaca6a3d90a7d5480c103560
-
SHA1
17c516d8b2afd2c8ef9301e9744b7e9597db95fa
-
SHA256
914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80
-
SHA512
6e8146fe424e28ba2cb9cce116f6ed70b82925372146a1412f97cabc2efeb08034650ea31e53bc927b1d9a70b641e139067916cc9e883f02c6c8e972ee6e5eca
-
SSDEEP
12288:My90EB90PRto58VKbIAG3W87kVqHVQ93D7t1/UYunnOkOf:MyxBURCwKUAI7SxRv1YnNOf
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/116-19-0x0000000002640000-0x000000000265A000-memory.dmp healer behavioral1/memory/116-21-0x0000000004B30000-0x0000000004B48000-memory.dmp healer behavioral1/memory/116-43-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-47-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-45-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-41-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-39-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-49-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-37-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-35-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-34-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-31-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-29-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-27-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-25-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-23-0x0000000004B30000-0x0000000004B43000-memory.dmp healer behavioral1/memory/116-22-0x0000000004B30000-0x0000000004B43000-memory.dmp healer -
Healer family
-
Processes:
01404501.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 01404501.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 01404501.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 01404501.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 01404501.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 01404501.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 01404501.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3452-61-0x0000000002420000-0x000000000245C000-memory.dmp family_redline behavioral1/memory/3452-62-0x0000000002600000-0x000000000263A000-memory.dmp family_redline behavioral1/memory/3452-66-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-82-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-96-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-94-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-92-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-90-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-88-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-86-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-80-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-78-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-76-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-74-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-72-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-70-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-68-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-84-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-64-0x0000000002600000-0x0000000002635000-memory.dmp family_redline behavioral1/memory/3452-63-0x0000000002600000-0x0000000002635000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un573360.exe01404501.exerk758735.exepid Process 4044 un573360.exe 116 01404501.exe 3452 rk758735.exe -
Processes:
01404501.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 01404501.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 01404501.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exeun573360.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un573360.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4820 116 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exeun573360.exe01404501.exerk758735.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un573360.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01404501.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk758735.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
01404501.exepid Process 116 01404501.exe 116 01404501.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
01404501.exerk758735.exedescription pid Process Token: SeDebugPrivilege 116 01404501.exe Token: SeDebugPrivilege 3452 rk758735.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exeun573360.exedescription pid Process procid_target PID 2268 wrote to memory of 4044 2268 914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe 83 PID 2268 wrote to memory of 4044 2268 914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe 83 PID 2268 wrote to memory of 4044 2268 914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe 83 PID 4044 wrote to memory of 116 4044 un573360.exe 84 PID 4044 wrote to memory of 116 4044 un573360.exe 84 PID 4044 wrote to memory of 116 4044 un573360.exe 84 PID 4044 wrote to memory of 3452 4044 un573360.exe 99 PID 4044 wrote to memory of 3452 4044 un573360.exe 99 PID 4044 wrote to memory of 3452 4044 un573360.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe"C:\Users\Admin\AppData\Local\Temp\914afb56c7e3131853a89eb475c47fba6a801a2e4dbad714e774a3cc672ece80N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573360.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573360.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01404501.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01404501.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 10844⤵
- Program crash
PID:4820
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk758735.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk758735.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 116 -ip 1161⤵PID:3760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
537KB
MD5c5086d53390fb6e858dbe2b4bd8cbd74
SHA11b4c8d069de1a5ba622c6620ffddbd56460c6c99
SHA2569563fcb17fea0762b7b857bfafc27ed7d2262e1a78b711ee7c38fb63426d18c1
SHA512cfb3079304641ae7cd50ee40b1f02d75fe2d287716c3db9b3eec709b760440e21973f8e0c48d43101aeaf9b5fba64495c2e82e88cadb3fdac559f80354663d95
-
Filesize
259KB
MD53ba9e9f459ad3ecac67a9c84a67b7a31
SHA16e2f9f3cea7115f991447ca8aec12fbb704ba886
SHA256831b0c0b5e2d0e2919e8e739a295c6afdf6d30b7f8c9b45b5ddb1488d8211989
SHA5127229af44caa035c65af910396ed58981e7f314437c4c27f4f84d90d44fa42334119ea6bcd931efb82e54f150e85a118bcaeac667a9ece6e4568730ec301b6b17
-
Filesize
342KB
MD58228b4070388def3df3627809423dfd9
SHA125385ae685ed692eace7f9626a869998136c4447
SHA256b2e73b980c8d1443be8f3b0c1dc51360006f3ceba4a97104dae7feba064aff30
SHA51215938219b70b54500f32ef49b8e1c657254d9fb6db6e4d68bb1c62c7a9f2b3cc33f08c8188ae5a699b439cc038830270409c18e84514c3656b26eeeca521d001