Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe
Resource
win10v2004-20241007-en
General
-
Target
8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe
-
Size
704KB
-
MD5
5e8e2720dd5ee31dc37d4ce989db6a6d
-
SHA1
9fe9adf39cf2b8430b66bb4a39931f84dcaeada6
-
SHA256
8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0
-
SHA512
eccac50d6ccb7a1c6c1a5f73a3d955dc4f325379cb21deac922267614f32ec2292d016663bbb3b22bce6d3378aa8713537ca0e83933e75662b1bb88e89e215dc
-
SSDEEP
12288:Py90UYLCTCp4UWokEdJ0nrue2t1vB9RCTkZMI4HKhWS2PwcA+umB+HnMWCbiPK61:PyHsCwWokEdJq+j9aqjdhWS+y+uqMnpN
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2608-18-0x0000000004BF0000-0x0000000004C0A000-memory.dmp healer behavioral1/memory/2608-20-0x0000000007700000-0x0000000007718000-memory.dmp healer behavioral1/memory/2608-34-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-46-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-44-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-42-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-48-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-40-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-39-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-36-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-32-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-30-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-28-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-26-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-24-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-22-0x0000000007700000-0x0000000007712000-memory.dmp healer behavioral1/memory/2608-21-0x0000000007700000-0x0000000007712000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr339134.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr339134.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2016-60-0x0000000007150000-0x000000000718C000-memory.dmp family_redline behavioral1/memory/2016-61-0x00000000071D0000-0x000000000720A000-memory.dmp family_redline behavioral1/memory/2016-65-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-71-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-95-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-93-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-91-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-89-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-88-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-85-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-83-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-81-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-79-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-77-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-75-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-73-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-69-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-67-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-63-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline behavioral1/memory/2016-62-0x00000000071D0000-0x0000000007205000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2908 un255891.exe 2608 pr339134.exe 2016 qu024729.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr339134.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un255891.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3576 2608 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr339134.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu024729.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un255891.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2608 pr339134.exe 2608 pr339134.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2608 pr339134.exe Token: SeDebugPrivilege 2016 qu024729.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4912 wrote to memory of 2908 4912 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 83 PID 4912 wrote to memory of 2908 4912 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 83 PID 4912 wrote to memory of 2908 4912 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 83 PID 2908 wrote to memory of 2608 2908 un255891.exe 84 PID 2908 wrote to memory of 2608 2908 un255891.exe 84 PID 2908 wrote to memory of 2608 2908 un255891.exe 84 PID 2908 wrote to memory of 2016 2908 un255891.exe 98 PID 2908 wrote to memory of 2016 2908 un255891.exe 98 PID 2908 wrote to memory of 2016 2908 un255891.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe"C:\Users\Admin\AppData\Local\Temp\8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255891.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255891.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr339134.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr339134.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 10804⤵
- Program crash
PID:3576
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu024729.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu024729.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2608 -ip 26081⤵PID:5020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
549KB
MD5599ca3c1dc4a455942acf4e3cee1e314
SHA103d693b8ea44d40426e6b0a034e48abf9c021048
SHA256f9cac0abfc6a68192ac820347805d8077792a760e5f9b8171a318ba3f0dbf53a
SHA512306de73db60dfab23340d905d9e2e1727b400b630c43b45fa62d332cf48116e282bc808c4b01ed1c005e2b5d703be079ad1624809a5af8ea60813600e4df7469
-
Filesize
277KB
MD5a448b48a2025ea27e1a58a39079969c3
SHA1901a17c34b1b1c94930f102bac04184aa874f2be
SHA256825c87568fb355d1d5c0514edb47b98b030d3fdf471f70df3218ba41bf9e6eca
SHA512e1578286b000a939e0ce621bf536d25cbcf4283aae0c7b0dab1b51921490294a4ed266aab69ea48000ed39bd6edfc806e94c251dd9e0f947f09ce3cd16f070f3
-
Filesize
361KB
MD54cc9b6788cb850c63da60a33d9ce5929
SHA1d45654569113e8c712f3053371c2591718a96076
SHA256c13921be9da15ed810405abcffddd018724d2e2ba8740e19fef8aba9941a3f60
SHA5123f20ba742ec83b29cd8cfaa6d53910b2c32a6487392c7715d87ca24590c256339a18994d2fa9666581afa4240acc46ae4dd95f2b93764e6ff1a90cfe46d42b90