Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe
Resource
win10v2004-20241007-en
General
-
Target
8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe
-
Size
1.1MB
-
MD5
4a4adfd8705226fef5db47e9d95cea77
-
SHA1
3c9c2a874236e7dcf167151c04bb7acb359507e0
-
SHA256
8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3
-
SHA512
329500718d0fd6c257acf0aa80c5961f80eb1fa27ce0e6a44ca74eb6e64dbf242d82b959219bf2f266ed4b9c598795ec70525785bfebe5b906e0d6f9a6b7a7a4
-
SSDEEP
24576:qyMho+ABq3Ju+XqzaD10BYBWu9zt+TJMe2tUmPSuL:xMGrq3DND10BYBWYwTJTIPS
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1716-23-0x0000000000E50000-0x0000000000E6A000-memory.dmp healer behavioral1/memory/1716-25-0x0000000002690000-0x00000000026A8000-memory.dmp healer behavioral1/memory/1716-53-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-51-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-49-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-47-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-45-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-41-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-39-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-37-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-35-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-33-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-31-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-29-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-27-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-26-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/1716-43-0x0000000002690000-0x00000000026A2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr574017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr574017.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr574017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr574017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr574017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr574017.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3548-62-0x0000000004D70000-0x0000000004DAC000-memory.dmp family_redline behavioral1/memory/3548-63-0x00000000053E0000-0x000000000541A000-memory.dmp family_redline behavioral1/memory/3548-77-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-83-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-97-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-95-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-93-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-91-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-89-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-87-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-81-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-79-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-75-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-73-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-71-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-85-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-69-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-67-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-65-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/3548-64-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3916 un036400.exe 236 un877006.exe 1716 pr574017.exe 3548 qu542079.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr574017.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr574017.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un036400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un877006.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3708 1716 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un036400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un877006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr574017.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu542079.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1716 pr574017.exe 1716 pr574017.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1716 pr574017.exe Token: SeDebugPrivilege 3548 qu542079.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4712 wrote to memory of 3916 4712 8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe 83 PID 4712 wrote to memory of 3916 4712 8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe 83 PID 4712 wrote to memory of 3916 4712 8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe 83 PID 3916 wrote to memory of 236 3916 un036400.exe 85 PID 3916 wrote to memory of 236 3916 un036400.exe 85 PID 3916 wrote to memory of 236 3916 un036400.exe 85 PID 236 wrote to memory of 1716 236 un877006.exe 86 PID 236 wrote to memory of 1716 236 un877006.exe 86 PID 236 wrote to memory of 1716 236 un877006.exe 86 PID 236 wrote to memory of 3548 236 un877006.exe 95 PID 236 wrote to memory of 3548 236 un877006.exe 95 PID 236 wrote to memory of 3548 236 un877006.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe"C:\Users\Admin\AppData\Local\Temp\8927d962a9d1692ae34395d9284d1fb5acf03835478ef46c71c784fbad0fe0e3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036400.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036400.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un877006.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un877006.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr574017.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr574017.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 10805⤵
- Program crash
PID:3708
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu542079.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu542079.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1716 -ip 17161⤵PID:3560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD5e55c3ca0b5b89332d83179dd7e82f33a
SHA1cc72a6b2b0ecd1032b83765f8639b7ed82afb153
SHA2566f43599791d3e793308e87d015c89d986eccdabd134a274375488edb61a3cbb9
SHA512a858b7430b07cfcb5d11d53ef89a817946ddccec218f4802893db0c870b7189b92efd6e08598bbbc3d8772eabb26028ade1125ae1eed6c353d62821371cb1799
-
Filesize
608KB
MD5b2460e7b324ca034fe315aa17f4a3527
SHA10ca1373189d89ffa46a41d35fc81cae11de1b0c0
SHA256db422dade43f906fc99ef2f60f297e9f0ec8fae2293c666ba3d33594d1100777
SHA51216185f5a4b5dbf4c406fa883bb9ab70ed9a907052766857c474f38bdb5ac42ba2bf54b65938e057eae6f4ec21990ef59d4c95702fb55f9f7f954f5c4af2a3d21
-
Filesize
405KB
MD5d2cf2ca4f1849a539a80c382cfcfb87d
SHA17fe2e8b7754a883ecd6427e363233c74a36be36b
SHA2563ce588ecb5c2178f843004417a621dcd020ceb6b999b0c0a1e83be31462f3768
SHA512c1360c0009ae20fee1397278fe7e050c9f183b962d11ec0a1ec15fbf80fa433ce9e95733e6fb9173409239e49650d8f2f8b720813d46aebb258035c99cb7e3fe
-
Filesize
488KB
MD5a18ec6b299016e25071293d0ae63af6a
SHA1d84c1544f42c842584a175de16883ec88bb23c68
SHA2565a7fe6d824fb75ae939c840c631f631c032aeee72234956ac5f5850707e993c0
SHA512d1db3fc5e837703d96e99b03864308ad5e3e1a576e534dcc915dc22b35aa12ff82e1638019777b7abcaa0c83e267153c012ecac84297496acf457265e4d99801