Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe
Resource
win10v2004-20241007-en
General
-
Target
9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe
-
Size
696KB
-
MD5
8aab7464d9be650c812ff980e4d0246e
-
SHA1
904f16dcea634136bfed1076b9deef1eb6623dd2
-
SHA256
9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a
-
SHA512
4d6c3ece9dd2e75b59cc09376db4c85950b1db3f9de1fb8cf4cccd37fd7cdf69b93fbb00f73b6d3eeb891799ee24f27c198bf9839a086e14e77c30d82d68e14d
-
SSDEEP
12288:hy90uT3tlFMnIYdNbqtzzJg53touYe4cYIZ02vxvZIfaJ:hyC1Nbq1JHuYDP2J6fc
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2176-18-0x00000000070B0000-0x00000000070CA000-memory.dmp healer behavioral1/memory/2176-20-0x0000000007140000-0x0000000007158000-memory.dmp healer behavioral1/memory/2176-48-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-46-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-44-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-42-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-40-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-38-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-36-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-34-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-32-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-30-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-28-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-26-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-24-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-22-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/2176-21-0x0000000007140000-0x0000000007152000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr417228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr417228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr417228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr417228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr417228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr417228.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4964-60-0x00000000049C0000-0x00000000049FC000-memory.dmp family_redline behavioral1/memory/4964-61-0x0000000004BA0000-0x0000000004BDA000-memory.dmp family_redline behavioral1/memory/4964-85-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-95-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-93-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-91-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-89-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-87-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-83-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-81-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-79-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-77-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-75-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-73-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-71-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-69-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-67-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-65-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-63-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline behavioral1/memory/4964-62-0x0000000004BA0000-0x0000000004BD5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3008 un922162.exe 2176 pr417228.exe 4964 qu478614.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr417228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr417228.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un922162.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3752 2176 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un922162.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr417228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu478614.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2176 pr417228.exe 2176 pr417228.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2176 pr417228.exe Token: SeDebugPrivilege 4964 qu478614.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2852 wrote to memory of 3008 2852 9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe 83 PID 2852 wrote to memory of 3008 2852 9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe 83 PID 2852 wrote to memory of 3008 2852 9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe 83 PID 3008 wrote to memory of 2176 3008 un922162.exe 84 PID 3008 wrote to memory of 2176 3008 un922162.exe 84 PID 3008 wrote to memory of 2176 3008 un922162.exe 84 PID 3008 wrote to memory of 4964 3008 un922162.exe 100 PID 3008 wrote to memory of 4964 3008 un922162.exe 100 PID 3008 wrote to memory of 4964 3008 un922162.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe"C:\Users\Admin\AppData\Local\Temp\9811297e93aca7853cb10fa7b0a61996bf1defb1cd0206e953b65f88f65d2c9a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un922162.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un922162.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr417228.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr417228.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 10804⤵
- Program crash
PID:3752
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu478614.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu478614.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2176 -ip 21761⤵PID:3508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
542KB
MD59ffea24e92cae19c0dfa8832cda9f004
SHA13886f1781c5dbe0992a315b1ca88e3e23803eab3
SHA256380cf8b26f58c46d8974993de62e4124ff02a0cc597c7e08863c2ea45fca2c18
SHA51244b8b59d212ffc7042fb2cee6d0685b23f72efbd433e1c039961de6e390408e5b91944e41fbf61787d06f720065db7ba6f55f866b03c45a8e873d9dc5b90122c
-
Filesize
269KB
MD5ffe494146bd17b5fa36d66df2b0ab6b0
SHA1701e0af6a3ec1084a05b81f84276f0e05aa186b5
SHA2563b11a420c57b2215244375278c055134f30d8ea75b36830dca45e08c85346cc6
SHA512d3bc5003dfa81fb5de801e8353318e62b9ca166ff9f6b116ac44a0c94e835c627cb7b0f51b8d186c4835df688dd808cf36b50f4fe5fac789a65b374d8918b1a4
-
Filesize
351KB
MD5f882558706c14219461178c909be778f
SHA15404565900bdd8c0a795ffb393fd651d35ee7f5c
SHA25647436ca2dcf119fb71235c29108a17dc083ee9e682a53f38d6b1d48ce32c1210
SHA512ea5e7eacb24507971fca8a640ee8aa521e0ddbade969e851da54130129d2462349f2d6dcbbaab98758b38ed0b5ce06f5a825ccf267e44df3c3186ad1b218c5a7