Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe
Resource
win10v2004-20241007-en
General
-
Target
828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe
-
Size
694KB
-
MD5
2deaff136047a2b1b6d2f127b3da465a
-
SHA1
aec22e9b4675c6ecae84edbe6f85f56ebba2b14a
-
SHA256
828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea
-
SHA512
f1f83473b7fae8102ce9987e572402beb35a0ff8397a0450c3c3689d56ee09192137a0ebe73e4851742b55ec10deebdc1dacb447836d55bdf7b65d0b8a43b732
-
SSDEEP
12288:ey90Rt7t0yG2ti4ZI9WOwcHNUrBIhMKrzb6IrwZGVN77z/KWTnNc8:eyk7E2Q4OiCNcBezPcON77zZjy8
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4724-18-0x0000000004AE0000-0x0000000004AFA000-memory.dmp healer behavioral1/memory/4724-20-0x0000000004C80000-0x0000000004C98000-memory.dmp healer behavioral1/memory/4724-40-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-48-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-46-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-44-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-42-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-38-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-36-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-34-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-32-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-30-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-28-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-26-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-24-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-22-0x0000000004C80000-0x0000000004C93000-memory.dmp healer behavioral1/memory/4724-21-0x0000000004C80000-0x0000000004C93000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 53224800.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 53224800.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 53224800.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 53224800.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 53224800.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 53224800.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4000-59-0x0000000007120000-0x000000000715C000-memory.dmp family_redline behavioral1/memory/4000-60-0x00000000071A0000-0x00000000071DA000-memory.dmp family_redline behavioral1/memory/4000-66-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-74-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-72-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-70-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-68-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-82-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-64-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-62-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-61-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-76-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-94-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-92-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-90-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-88-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-86-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-84-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-80-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/4000-78-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1820 un094663.exe 4724 53224800.exe 4000 rk931600.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 53224800.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 53224800.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un094663.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4828 4724 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un094663.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53224800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk931600.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4724 53224800.exe 4724 53224800.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4724 53224800.exe Token: SeDebugPrivilege 4000 rk931600.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4508 wrote to memory of 1820 4508 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe 83 PID 4508 wrote to memory of 1820 4508 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe 83 PID 4508 wrote to memory of 1820 4508 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe 83 PID 1820 wrote to memory of 4724 1820 un094663.exe 84 PID 1820 wrote to memory of 4724 1820 un094663.exe 84 PID 1820 wrote to memory of 4724 1820 un094663.exe 84 PID 1820 wrote to memory of 4000 1820 un094663.exe 95 PID 1820 wrote to memory of 4000 1820 un094663.exe 95 PID 1820 wrote to memory of 4000 1820 un094663.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe"C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 11004⤵
- Program crash
PID:4828
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 47241⤵PID:4916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5da6e5ef1a6e9eff9f48f61184d120ea0
SHA1a9dc4fdd90eb607ae03aeb8b358879b989224796
SHA2564bd60f370fa64bdab139ca68536c90a6370b1826a6d7117efbea3d06c3ea0e99
SHA512b30b8dce488d430f630d5d7020b5e870a8bd1a047081d9a99785ecf966562723b9331fd80544d92d42744fc356da8462a38c95ab2d7e621cb4c1f8cfee915024
-
Filesize
258KB
MD5fdda21ab82a198d66ed008afb7fec34d
SHA155380a21f145124b26e92c519ca1bf1c4e639f7d
SHA25652ffddea2f5bd6f476a58660098e24dfb6e2568f9969122a20cb1bd677c6cade
SHA512897f02fe0723a22ff1be206e0228498cdaece7d4bf9baa6813146db0bbdf1426db86094f619cd6af501f694f4889230fb881a1ca1d9be2e8f607f01e90fbda5a
-
Filesize
341KB
MD5797d059ba279a43c0689e69416d41082
SHA112b4af97ae8d97e2506ae6158bf16104a5b9fddc
SHA256ed62b98920962c503ae98e2637d3b5623a9d4960134d913bc157720d9608b98d
SHA51252a73e72df5a7fce956c0cfe452d49ce0bc93288f883e047b598566e123f6f6f98e66335bc12e33f497a7684bc055405f80c3820515f2c78c14d1a67719d1fbe