Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe
Resource
win10v2004-20241007-en
General
-
Target
8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe
-
Size
480KB
-
MD5
597872614d29adb76879a8df50d1ac58
-
SHA1
9be76ab1584199e8cd42826021774271200ae785
-
SHA256
8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be
-
SHA512
2471882c2ddfafbb1730a63c4b8e3930d85249607c5cb88c45c4a3f60763b4e540dca9a32afc73d0995f280fbbec61c7b2af48189850efb4cca6a10fbcf6508c
-
SSDEEP
12288:JMrpy905JxTiDJF31tTecaQ5yzG6GAY9baoKuKpv7N:MyNDzltacaQ5yByaorKvZ
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4068-15-0x0000000002150000-0x000000000216A000-memory.dmp healer behavioral1/memory/4068-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/4068-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4068-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4955834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4955834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4955834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4955834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4955834.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a4955834.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b8a-54.dat family_redline behavioral1/memory/2300-56-0x0000000000070000-0x0000000000098000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1196 v1028186.exe 4068 a4955834.exe 2300 b2360357.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a4955834.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a4955834.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1028186.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1028186.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4955834.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2360357.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4068 a4955834.exe 4068 a4955834.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4068 a4955834.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4420 wrote to memory of 1196 4420 8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe 83 PID 4420 wrote to memory of 1196 4420 8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe 83 PID 4420 wrote to memory of 1196 4420 8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe 83 PID 1196 wrote to memory of 4068 1196 v1028186.exe 84 PID 1196 wrote to memory of 4068 1196 v1028186.exe 84 PID 1196 wrote to memory of 4068 1196 v1028186.exe 84 PID 1196 wrote to memory of 2300 1196 v1028186.exe 97 PID 1196 wrote to memory of 2300 1196 v1028186.exe 97 PID 1196 wrote to memory of 2300 1196 v1028186.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe"C:\Users\Admin\AppData\Local\Temp\8cb5d4f3356843f3a3a765ada2ca0e150735cd4ea42ec50356a213d18b6cf4be.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1028186.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1028186.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4955834.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4955834.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2360357.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2360357.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5eee5631352c343dc40f2be59ab1fea39
SHA1de3fa591b3476721f1c5e4f2e359fd06bb19be66
SHA256c185469ebdba5ac411a2ec8cd6fb2fc25cc8d4460fdebedde627d6d441179d55
SHA512b3a8b9fcebc733e5c9d6bc1c87fbd3a056a0df1012eebfb060241e433ca14f46c107a5c0f30386a0c84122016c7448a9b3673991da594f0ef13cc4906234e79d
-
Filesize
175KB
MD53b9f6136f6bcf2d621508b250ddf3387
SHA11f0250e6ae6d6d875a9f90052d19e23c2b51a831
SHA25630dd51431a4c62feff80417aa76b25f548dd7282bde1f378c5c2ea9af21bcfb9
SHA512849aec70049d095c76f47e59ddef946bac4086125adb41e4094730c8277d5cfeb5660c7fd861a60d61b2101de707684703583a24ffead5cb3f180ca66a2f7a05
-
Filesize
136KB
MD567a1f5c3e7145d19c7b164d02f03813a
SHA10961355d85ba75511f9e259772d28a96da98b089
SHA256f18ce3331c0500ff1b2d4cfa114fa91a39ba7b92033e81800f8bfaaa78fa1499
SHA512a2fdd7c600541987def2f8a05efc5111467ee6f95eebdf1970140eca0b1c8a4d6fafb1ef5d89cbf91e86cbc8006adcb78dfc911a872b10b17d1003a042afcf44