Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:55
Static task
static1
Behavioral task
behavioral1
Sample
106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe
Resource
win10v2004-20241007-en
General
-
Target
106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe
-
Size
694KB
-
MD5
3a64ed38f0368d877f05adc7ef4bb43b
-
SHA1
c175e7d546cad04938e219353e14bd5c2a26ecac
-
SHA256
106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a
-
SHA512
8d7f8eb8aade2b62749f50c230980257bbb6121716ebb70cdd019fe54a5ed4ade238c69b02b60e85a8f4d65d33399d65a776b3d72914fd78ac554dd7d6daa294
-
SSDEEP
12288:ay90e9ChDt4vdeFdfwpFTECvvjcF/IQW+6FF18b2KQA+OAD+URw:ayd9ChfFdfoFzvvjcJ6FF18b2LPyUG
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1156-18-0x0000000007210000-0x000000000722A000-memory.dmp healer behavioral1/memory/1156-20-0x0000000007270000-0x0000000007288000-memory.dmp healer behavioral1/memory/1156-21-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-40-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-48-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-46-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-44-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-43-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-38-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-36-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-34-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-33-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-30-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-28-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-26-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-24-0x0000000007270000-0x0000000007283000-memory.dmp healer behavioral1/memory/1156-22-0x0000000007270000-0x0000000007283000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 04229891.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 04229891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 04229891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 04229891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 04229891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 04229891.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/876-60-0x0000000004BF0000-0x0000000004C2C000-memory.dmp family_redline behavioral1/memory/876-61-0x0000000007790000-0x00000000077CA000-memory.dmp family_redline behavioral1/memory/876-69-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-63-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-96-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-93-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-91-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-90-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-87-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-85-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-84-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-81-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-79-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-77-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-75-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-73-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-71-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-67-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-65-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/876-62-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4912 un800228.exe 1156 04229891.exe 876 rk437550.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 04229891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 04229891.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un800228.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4780 1156 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un800228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04229891.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk437550.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1156 04229891.exe 1156 04229891.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1156 04229891.exe Token: SeDebugPrivilege 876 rk437550.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3852 wrote to memory of 4912 3852 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe 84 PID 3852 wrote to memory of 4912 3852 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe 84 PID 3852 wrote to memory of 4912 3852 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe 84 PID 4912 wrote to memory of 1156 4912 un800228.exe 85 PID 4912 wrote to memory of 1156 4912 un800228.exe 85 PID 4912 wrote to memory of 1156 4912 un800228.exe 85 PID 4912 wrote to memory of 876 4912 un800228.exe 100 PID 4912 wrote to memory of 876 4912 un800228.exe 100 PID 4912 wrote to memory of 876 4912 un800228.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe"C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 10804⤵
- Program crash
PID:4780
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1156 -ip 11561⤵PID:4896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD522c93af7dc94c8928cdddbd84b205391
SHA1b08c303cea77885baa16458c591dec12f637bbb3
SHA256ea213a31e1ad1addec54b34c179db45ff66ce7a7362ad7096722ec14f16645df
SHA5122efd603131e1c18e63c5014069b1be188f8d4f76c1f4d191d5e5aecb4875a39fefaf774de68958469c897ba4ffa5d1e55e36d77520abf893ce50c46a13d5be4e
-
Filesize
258KB
MD5f78f972daad203de1a2120cd43fa3362
SHA1c2c2a6a0404e414768c13860c9e24075deef8dfe
SHA25618f3783b820beb723fc16c1dcd224c5e5e283a94376a8eda6a37cad8009cec9c
SHA5128f74dcd5d6afbcf42e2bb4aa93ef3a2a39bb7f437afdbb7f7a49ee87a1461805339261ad3b4701062f0e8f5cdd7890255c8f2f09f95ddf614a706d596f3d155e
-
Filesize
340KB
MD5d039136e4ab774f02c63fc0a2874ea01
SHA11b3a1dea9c305fdb01e1e1f993d51d0fea83e453
SHA256846cdea9a4cbaf17c1ec38b4b7e9cb60bd616c1e345622d9fffdba46900fd3f2
SHA51280b4ef4b07dd8034ce83a6f923d696007effee201d88e76af99d61866c5e1bfa2d368bf2be0f57127d048b786c0396bb0ba98db50155f9275133da2e29da4dd8