Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe
Resource
win10v2004-20241007-en
General
-
Target
a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe
-
Size
690KB
-
MD5
823948042a4efceea0eab24a2715ab82
-
SHA1
86949d022abf6076dbd36c30ae4fbb46af882ba7
-
SHA256
a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff
-
SHA512
ff95c1b82668361a99800a95f4bab172dc82418e87c9daa67b654d6daf47f6ab72055a40cf618aebcaa02ceaeed1fa5e1182acf09382a6644b5215c363786f14
-
SSDEEP
12288:Jy90AfOSe7ZQYtMBQObHczVbyZmBJ/O872uGDBgCVX3wGv41:JyQSTBbc0Y2uGtgCVwGv41
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3084-19-0x0000000002220000-0x000000000223A000-memory.dmp healer behavioral1/memory/3084-21-0x0000000002280000-0x0000000002298000-memory.dmp healer behavioral1/memory/3084-49-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-47-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-45-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-43-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-41-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-39-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-37-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-35-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-33-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-31-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-29-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-27-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-25-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-23-0x0000000002280000-0x0000000002293000-memory.dmp healer behavioral1/memory/3084-22-0x0000000002280000-0x0000000002293000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 94147134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 94147134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 94147134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 94147134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 94147134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 94147134.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2968-61-0x00000000023F0000-0x000000000242C000-memory.dmp family_redline behavioral1/memory/2968-62-0x0000000002710000-0x000000000274A000-memory.dmp family_redline behavioral1/memory/2968-70-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-78-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-96-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-94-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-92-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-90-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-88-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-86-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-82-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-80-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-76-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-74-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-72-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-84-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-68-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-66-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-64-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/2968-63-0x0000000002710000-0x0000000002745000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5112 un004922.exe 3084 94147134.exe 2968 rk559120.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 94147134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 94147134.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un004922.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4716 3084 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94147134.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk559120.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un004922.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3084 94147134.exe 3084 94147134.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3084 94147134.exe Token: SeDebugPrivilege 2968 rk559120.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3396 wrote to memory of 5112 3396 a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe 85 PID 3396 wrote to memory of 5112 3396 a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe 85 PID 3396 wrote to memory of 5112 3396 a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe 85 PID 5112 wrote to memory of 3084 5112 un004922.exe 87 PID 5112 wrote to memory of 3084 5112 un004922.exe 87 PID 5112 wrote to memory of 3084 5112 un004922.exe 87 PID 5112 wrote to memory of 2968 5112 un004922.exe 96 PID 5112 wrote to memory of 2968 5112 un004922.exe 96 PID 5112 wrote to memory of 2968 5112 un004922.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe"C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 10284⤵
- Program crash
PID:4716
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3084 -ip 30841⤵PID:3116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD52dd5238b3b2449e87cf074a2b5fbd5d7
SHA11d3f24351b31e77932acf34dee461dac3244ba7a
SHA2569cd3358e160620f06b88608460c02df349293052a0435640b93bf2fdfaba0145
SHA51206098c44e16495e4a511a5f6bbd7ebdab0fb6564dd9d1758c1e57e1f4d1f8502e0fb456b00cb8ff3bc3471bb174d0d21bb6e9829c6a2355dea7fd24bb07783e0
-
Filesize
258KB
MD58c4c12c61a341ea625718f90fd510a64
SHA1d510720279e956ee661f5b16204476e0b5e87ea3
SHA2562d2a27ae447755247db4f4599c8934c2788aabbc320e83fde35fa74dae39b181
SHA51227e66e932edc86fca7b98d2f6c4a2400b28016bd6bf7093520e5b71a4f76e4bed02b2560668afed7216c964f5774deb3a956656a179662b5a9cbbd4d1df508d3
-
Filesize
342KB
MD5868d17b6bcdd2cdd7689c7a0076a687d
SHA11e48359969b9bccd4663df7f86c916c2f8156583
SHA256972d23bb18f7b3940e98b14352758c64f348391a632c53028774b1ce80cfd99d
SHA512ec51ce73ff86282f5a2504867d469c0efde03b5abf9a42d52edd8066d97151c5e520f151f18bda3b7296d3dc282789b1eca9a81d6cac65e7f56a1fa24b9958e8