Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe
Resource
win10v2004-20241007-en
General
-
Target
950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe
-
Size
706KB
-
MD5
52ddac9d12b3bd939f9c767e89ec3662
-
SHA1
94b43e830bf0ff4048e80ee683f2d43c4532aff1
-
SHA256
950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d
-
SHA512
78e4f48f6d3882da7d788ec66afc51cdbbeda0c1d066d59ec933bfcd144e89dd8114e3bdaf5610a10fb610b847b604cde4a85f6b3c70c4d54bb6f5448fd517e0
-
SSDEEP
12288:Dy90j+4hGlCyXcFskPmsdZcIFrjonG3MpBX9WFTn1Nqu8VJG3xM83e:Dy9fl3cBnFrr340RgKBMAe
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2872-18-0x00000000070E0000-0x00000000070FA000-memory.dmp healer behavioral1/memory/2872-20-0x0000000007140000-0x0000000007158000-memory.dmp healer behavioral1/memory/2872-22-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-30-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-46-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-45-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-42-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-40-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-48-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-38-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-37-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-34-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-33-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-28-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-26-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-24-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2872-21-0x0000000007140000-0x0000000007152000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr152646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr152646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr152646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr152646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr152646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr152646.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/888-60-0x0000000004AA0000-0x0000000004ADC000-memory.dmp family_redline behavioral1/memory/888-61-0x0000000007790000-0x00000000077CA000-memory.dmp family_redline behavioral1/memory/888-69-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-73-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-71-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-95-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-87-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-67-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-65-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-63-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-62-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-77-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-93-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-91-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-90-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-85-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-83-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-82-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-79-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline behavioral1/memory/888-75-0x0000000007790000-0x00000000077C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3748 un486866.exe 2872 pr152646.exe 888 qu154948.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr152646.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr152646.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un486866.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2772 2872 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un486866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr152646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu154948.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2872 pr152646.exe 2872 pr152646.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2872 pr152646.exe Token: SeDebugPrivilege 888 qu154948.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1516 wrote to memory of 3748 1516 950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe 83 PID 1516 wrote to memory of 3748 1516 950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe 83 PID 1516 wrote to memory of 3748 1516 950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe 83 PID 3748 wrote to memory of 2872 3748 un486866.exe 84 PID 3748 wrote to memory of 2872 3748 un486866.exe 84 PID 3748 wrote to memory of 2872 3748 un486866.exe 84 PID 3748 wrote to memory of 888 3748 un486866.exe 96 PID 3748 wrote to memory of 888 3748 un486866.exe 96 PID 3748 wrote to memory of 888 3748 un486866.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe"C:\Users\Admin\AppData\Local\Temp\950c0d45f7a00c95176fd778078367b92717e293a9f4a1bb92cd42bdec041d2d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un486866.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un486866.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr152646.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr152646.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 10284⤵
- Program crash
PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu154948.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu154948.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2872 -ip 28721⤵PID:4248
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD5b5851b73052e2fe6661be8768a48bffe
SHA1052ea9c567d4079eeeff593a00b54bfdddef5548
SHA2565524f53fb21ba438240c3a90a334a3e5096bcd0f63e710f2bbcba0f6fb9eb273
SHA512975587932b9c1c30c016915d7a213cfb82ad8722ee2a5b08f828d66e3148b4e3f9f25724a2275749593cdf96ddb6204eb1b25450aa30b7af608b775e85c9d35b
-
Filesize
283KB
MD512b60b71d90632d279728ef73883e6ca
SHA15cd3aa95960f488f3bf8271ca5dce92e177f96cf
SHA256fda6393004033911f2b3385a643e596a0e03c5fb1755f1e7d078ba28fdd0dc29
SHA5125114e3acf72f0051a7c16942b0631b36f3e057e6c172bcf486be7738367a11e2d16925b7595a8cac113b49879be3ac2589d7b53a7f2fbadd6585901db57e3487
-
Filesize
353KB
MD5560bddeaf3580d209af2fac248bd3098
SHA1ac455bff2eeb240ebff85882af1662a7f3f560f8
SHA25677516cbb2deca8dcc8f48fe710185eae6b11971e44a1809e421c5984248a1075
SHA512e332eb81294759cb348fde3f3ad9c896e00d25528e96debf9e8eb0bdab8e452281db329fed7e5aeedd8b9235ac6c3c69817e5c1fa8c05c7c3a654249710dde43