Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe
Resource
win10v2004-20241007-en
General
-
Target
62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe
-
Size
702KB
-
MD5
9156339447ecc84c78a2c9920083104c
-
SHA1
79a8dae6743d5a0c67dbd55dc68fabe644377aa3
-
SHA256
62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2
-
SHA512
59267e7fb75f4be809a07167e65aefd9f4bbe4859be867d7b580d3993d12d7458697c0f6beb15c670c2d3f94075367513d03fb980fee8c8e4659945303a7015d
-
SSDEEP
12288:4y90yWSI6BRvips6h0+bfDEw9etH2x/NWX/+9r0reeamiy4z3:4ypc6BRghh0+b7itH2x/NWP+Ix2dz3
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1280-18-0x00000000049A0000-0x00000000049BA000-memory.dmp healer behavioral1/memory/1280-20-0x0000000007150000-0x0000000007168000-memory.dmp healer behavioral1/memory/1280-48-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-46-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-45-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-42-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-40-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-38-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-36-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-34-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-32-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-30-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-28-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-26-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-24-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-22-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/1280-21-0x0000000007150000-0x0000000007162000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr006460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr006460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr006460.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr006460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr006460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr006460.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2980-59-0x0000000007130000-0x000000000716C000-memory.dmp family_redline behavioral1/memory/2980-60-0x0000000007780000-0x00000000077BA000-memory.dmp family_redline behavioral1/memory/2980-84-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-94-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-92-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-90-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-88-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-86-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-82-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-80-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-78-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-76-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-74-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-70-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-68-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-72-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-66-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-64-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-62-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline behavioral1/memory/2980-61-0x0000000007780000-0x00000000077B5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2092 un226891.exe 1280 pr006460.exe 2980 qu053474.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr006460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr006460.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un226891.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 64 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 64 1280 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un226891.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr006460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu053474.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1280 pr006460.exe 1280 pr006460.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1280 pr006460.exe Token: SeDebugPrivilege 2980 qu053474.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3268 wrote to memory of 2092 3268 62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe 83 PID 3268 wrote to memory of 2092 3268 62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe 83 PID 3268 wrote to memory of 2092 3268 62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe 83 PID 2092 wrote to memory of 1280 2092 un226891.exe 84 PID 2092 wrote to memory of 1280 2092 un226891.exe 84 PID 2092 wrote to memory of 1280 2092 un226891.exe 84 PID 2092 wrote to memory of 2980 2092 un226891.exe 99 PID 2092 wrote to memory of 2980 2092 un226891.exe 99 PID 2092 wrote to memory of 2980 2092 un226891.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe"C:\Users\Admin\AppData\Local\Temp\62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 10844⤵
- Program crash
PID:64
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1280 -ip 12801⤵PID:4624
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:64
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
548KB
MD5a7dbc805fb39c62036e58844856406c7
SHA1f27d4422b5043797664353d1ea531c184ce3d959
SHA2564c1c68208f1f882a35c879785bf9f70270cdc571dd2b1b6e427e72d8ccc90601
SHA512fa1011f449411ec5f52ee9d227d84c18dd7eb99380dfa30e3690d43baa77b7f452deb6ea4b61159b81c848d6cbe7d846e646dc9a72cc62d56968ce26ec872eff
-
Filesize
278KB
MD50ee934c978e1cef022dd902aff4ebd1d
SHA17a9a7c04526c7f5a0df63fb77dcbf205d78fc57b
SHA256918060d3ccac659a982e02c2ff76f2f7e3aceb105a56659c213d3f70c8753520
SHA5122f340fa4a03a201d07f54696d7b529b9a1129921913df18ab846d0a8fc0068c51076d6a731ada64f0d709581009c2b7092a84d646b67f6c6f5e0cdeec39e6f91
-
Filesize
360KB
MD54821cf50d2007b3105d73c6d604fbdd1
SHA12923ad9d8ffb65198b09f9f7c135da4ddd8e631d
SHA256bf880d3e4755d9b356d4618b87a49a454b39f6070b227978a28bcb1f1c88aa2b
SHA51289231b95d314727d00e3eb8f3a4e496409b57e12f82f0a97f5527187d2d394a65dafa17d2a68bf5f370a8cdf878c5c7ccf1012cfbd33ae893737df4a083e41b2