Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe
Resource
win10v2004-20241007-en
General
-
Target
625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe
-
Size
706KB
-
MD5
42dfa9227e009e25a27594129a336b86
-
SHA1
8885a5e4106113d3e776b2d133f22f8c845edb5a
-
SHA256
625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83
-
SHA512
5685c32529da1246b336be8038973319a91505aeaba2946b18daa7a40fb9ce6d04b70bfee8935495886cc347debfc7ff0f2b0fb7c36a446cd29e9585a43a42e9
-
SSDEEP
12288:wy90dkGcHGUfOzDQQhcsCt8RkmUrET7RdrjJY8c0LSZJcxeJD39xZQqL:wypHzWzXitEiIjrjTcM+B39Pj
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1876-17-0x0000000004C80000-0x0000000004C9A000-memory.dmp healer behavioral1/memory/1876-19-0x0000000004CF0000-0x0000000004D08000-memory.dmp healer behavioral1/memory/1876-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-45-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-41-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-24-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-22-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer behavioral1/memory/1876-21-0x0000000004CF0000-0x0000000004D02000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr349604.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2836-59-0x0000000004A30000-0x0000000004A6C000-memory.dmp family_redline behavioral1/memory/2836-60-0x0000000004C60000-0x0000000004C9A000-memory.dmp family_redline behavioral1/memory/2836-82-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-90-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-94-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-92-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-88-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-86-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-84-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-80-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-78-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-76-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-74-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-72-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-70-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-68-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-66-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-64-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-62-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline behavioral1/memory/2836-61-0x0000000004C60000-0x0000000004C95000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1008 un375557.exe 1876 pr349604.exe 2836 qu314372.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr349604.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un375557.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6100 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3056 1876 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un375557.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr349604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu314372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1876 pr349604.exe 1876 pr349604.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1876 pr349604.exe Token: SeDebugPrivilege 2836 qu314372.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2664 wrote to memory of 1008 2664 625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe 84 PID 2664 wrote to memory of 1008 2664 625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe 84 PID 2664 wrote to memory of 1008 2664 625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe 84 PID 1008 wrote to memory of 1876 1008 un375557.exe 86 PID 1008 wrote to memory of 1876 1008 un375557.exe 86 PID 1008 wrote to memory of 1876 1008 un375557.exe 86 PID 1008 wrote to memory of 2836 1008 un375557.exe 96 PID 1008 wrote to memory of 2836 1008 un375557.exe 96 PID 1008 wrote to memory of 2836 1008 un375557.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe"C:\Users\Admin\AppData\Local\Temp\625c2754cbec2f5bb1074e75f1eb84e0a966e310d1373c3d7359726882020c83.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un375557.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un375557.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr349604.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr349604.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 10764⤵
- Program crash
PID:3056
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu314372.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu314372.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1876 -ip 18761⤵PID:432
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:6100
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD576a3062d17e93c1bb5d56cb13004606d
SHA10d928861aab0a42296085e41824497bf28f3d356
SHA256a4900e8d8a4c5c1e24c9637cb0d1d96a120b2a70a1bbc9c6b9047e43f3be8814
SHA512ce653ef379d7cd6f0ca45d04cba41fe0cee36fec84417df1f800cdb8a3550421fc005e1ad7949404e81f4d1d00c750d9ee59fc267be6894de5ab3caafcdc9620
-
Filesize
299KB
MD52f8b15f37fab077cb2d6f4fd72eb6145
SHA186b2708d7eeb22a0f2251d1922cff846de64289a
SHA25659f98f0ef3630d1dc871903ef7660d1dbf907b92570dba8d7237c6522d011a71
SHA5125ed33405048685c97ec9b563f0ef79a0b7bd8ce5a5a976d233c2f04b9b586d0d2ab81f9e7915c604852dcfabbc509c2d05059b631e9b913b1e7df38a62dc5033
-
Filesize
382KB
MD5fecf7bc4fb15edfd31e161bd92a87816
SHA1d8e2e063fb0c9dadf66bf4fa6dbfee054e3ab022
SHA2563b101d1c382f7bacb51664eca774e5ac32670a3d9940bd4966b9a3650fec0491
SHA512f029f02d40d9901b28cfe249f5ec9639614803b1b6bce16f701bccc8b547cae10d497c189c7aae37e5523cd2feeae79eb13748dcf663ea5ec337bdd4a0cc8909