Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe
Resource
win10v2004-20241007-en
General
-
Target
8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe
-
Size
697KB
-
MD5
8257ca0a6b8b14a4afa6969d1be82242
-
SHA1
5e8234f1818eb70fab059bcd869b9d62be1e35e6
-
SHA256
8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f
-
SHA512
f49642dda621e11ec79d561332ffe33df133bf196846fc87197897ae86dc0841329fbdc4585b8434a0a9705a1ac04cfb140f56ad27e8b9ebe08c218def12a1e2
-
SSDEEP
12288:Zy90T9YHVOGsrqDJnYA//FevAjPejVoVwzxmsofBPkUSwdCVK175bggxmX:ZyoKVO1+ZWjCVtsofdkPwAIVbJxq
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3140-18-0x0000000004B80000-0x0000000004B9A000-memory.dmp healer behavioral1/memory/3140-20-0x0000000004C00000-0x0000000004C18000-memory.dmp healer behavioral1/memory/3140-48-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-46-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-44-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-42-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-40-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-38-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-36-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-34-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-32-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-30-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-28-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-26-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-24-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-22-0x0000000004C00000-0x0000000004C13000-memory.dmp healer behavioral1/memory/3140-21-0x0000000004C00000-0x0000000004C13000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 48352993.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 48352993.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 48352993.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 48352993.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 48352993.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 48352993.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2144-60-0x0000000004CA0000-0x0000000004CDC000-memory.dmp family_redline behavioral1/memory/2144-61-0x0000000007750000-0x000000000778A000-memory.dmp family_redline behavioral1/memory/2144-65-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-77-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-95-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-93-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-91-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-89-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-87-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-85-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-81-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-79-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-75-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-73-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-71-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-69-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-67-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-83-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-63-0x0000000007750000-0x0000000007785000-memory.dmp family_redline behavioral1/memory/2144-62-0x0000000007750000-0x0000000007785000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1912 un110322.exe 3140 48352993.exe 2144 rk245905.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 48352993.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 48352993.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un110322.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2916 3140 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un110322.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48352993.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk245905.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3140 48352993.exe 3140 48352993.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3140 48352993.exe Token: SeDebugPrivilege 2144 rk245905.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3196 wrote to memory of 1912 3196 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe 83 PID 3196 wrote to memory of 1912 3196 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe 83 PID 3196 wrote to memory of 1912 3196 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe 83 PID 1912 wrote to memory of 3140 1912 un110322.exe 86 PID 1912 wrote to memory of 3140 1912 un110322.exe 86 PID 1912 wrote to memory of 3140 1912 un110322.exe 86 PID 1912 wrote to memory of 2144 1912 un110322.exe 96 PID 1912 wrote to memory of 2144 1912 un110322.exe 96 PID 1912 wrote to memory of 2144 1912 un110322.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe"C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 10804⤵
- Program crash
PID:2916
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 31401⤵PID:2260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
543KB
MD5b32dcf3b1fb54b8e862f84fbe0c8547b
SHA16ae4f3678f777fc1656e57ab2db143277e60690d
SHA2560a1744782ccb95374e71f029b46d807f2a31072e670a426a3c73495b759f29bf
SHA512a66969f54069db93a8ff9f8380666e776a70adc43e6351b0ff6ac4582b7a7fe1b7a09d6f45bc7f0ed4bce8af7b04076597c8938ded22c442027ec8d23b9fee09
-
Filesize
263KB
MD5a604d0a8dcf18156196619562ef426e5
SHA11065de6e640de17c6db19b6237d39913364e8ee6
SHA256abf0068d194197a1c047aa30065f655033e0d25beee3d715e8d4f68b14781e6b
SHA512046970ae23942f47b945bce62bfca5374bb27d22467a52001aec2f140629d30c2469481a3ba496495c6f88f7b8fd898927d7a724ea262375c82b358d6a5fd645
-
Filesize
328KB
MD5a3ee805808ba45946d51568bda5aff0b
SHA17576545caf28d1dc6589817f2ec6b6f4496cc40a
SHA25650d3cbedfe32a3c147dba9805d5614cd669e8c945fd7e4e03d593ffc37cabe0a
SHA5129270d661efd165e296ada752da2d774f10e9270e523b0a9f4f6a8c6e4411c0017e57b274120d27e96734dbb44b61bd1f7c22a182abb49525864593400f487c06