Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe
Resource
win10v2004-20241007-en
General
-
Target
2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe
-
Size
703KB
-
MD5
e77cdcd082c4b1ff6fd43b29124b6a22
-
SHA1
e67694e98490114e327201d5e0e633192a351379
-
SHA256
2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10
-
SHA512
b8a8a952fa1947822e5f7bbfd389bf71e7a7b5c12196748129d574c5ceac334bcc4b7e250d85cb4c8aa69562679f7539dd54a227b4a1e0bcec65414328b8c07f
-
SSDEEP
12288:Ay90nBHTfSn/t/QbZE/DuzM+JC2z2x/SExXHXQH0rdeagiIkXv4lt:AyYMQbybUM+JP2x/SExXXBkMsr
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3416-18-0x0000000004D00000-0x0000000004D1A000-memory.dmp healer behavioral1/memory/3416-20-0x0000000007280000-0x0000000007298000-memory.dmp healer behavioral1/memory/3416-36-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-48-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-46-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-44-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-42-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-40-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-38-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-34-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-32-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-30-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-28-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-24-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-22-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-21-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/3416-26-0x0000000007280000-0x0000000007292000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr681300.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr681300.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr681300.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr681300.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr681300.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr681300.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/688-60-0x0000000007080000-0x00000000070BC000-memory.dmp family_redline behavioral1/memory/688-61-0x0000000007100000-0x000000000713A000-memory.dmp family_redline behavioral1/memory/688-67-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-75-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-95-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-93-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-91-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-89-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-85-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-83-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-81-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-79-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-77-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-73-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-71-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-69-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-63-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-87-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-65-0x0000000007100000-0x0000000007135000-memory.dmp family_redline behavioral1/memory/688-62-0x0000000007100000-0x0000000007135000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 700 un569179.exe 3416 pr681300.exe 688 qu604956.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr681300.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr681300.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un569179.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 760 3416 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un569179.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr681300.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu604956.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3416 pr681300.exe 3416 pr681300.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3416 pr681300.exe Token: SeDebugPrivilege 688 qu604956.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2732 wrote to memory of 700 2732 2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe 84 PID 2732 wrote to memory of 700 2732 2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe 84 PID 2732 wrote to memory of 700 2732 2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe 84 PID 700 wrote to memory of 3416 700 un569179.exe 86 PID 700 wrote to memory of 3416 700 un569179.exe 86 PID 700 wrote to memory of 3416 700 un569179.exe 86 PID 700 wrote to memory of 688 700 un569179.exe 99 PID 700 wrote to memory of 688 700 un569179.exe 99 PID 700 wrote to memory of 688 700 un569179.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe"C:\Users\Admin\AppData\Local\Temp\2f0fa123b62362d144f0983c5cb75e8d63a124963ac797ac896af03ee80afd10.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un569179.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un569179.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr681300.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr681300.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 10804⤵
- Program crash
PID:760
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu604956.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu604956.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3416 -ip 34161⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
549KB
MD56ffa8fab6db862549c28d7c372d470c2
SHA1655c8b74c6bdb3dde2411f67428e429ba143d221
SHA256b2b04cecc938f127e4ab2bf55efdee636efc297e0a59f3653844c24d5c457180
SHA5126c1a156be9035e4c86009043d681f2bd40d191740006905d33569787b6cc1edbd11388041dadb680bf3ccd0fb2f32cf0d59e4ffdf5c6089cde81de1fd136fe01
-
Filesize
278KB
MD59f851092fc7608b2a73e58167e1e4956
SHA1e85930972e9ca6e16f337c2389de79b2a68ee971
SHA2566dec5dede41a6e2e9d44b5a695ccf151be97315aa03dda16670438d57fb9fd84
SHA51225de2ba9f03995aea24a916f49c083e23386483b5dd0fe919e0a309876515a8a841476773b39265e75f591ff1c403294eeb9df948c8dd1911c9d9a6253c593c1
-
Filesize
360KB
MD59500c0c81986fb3eba910f7a80b4f241
SHA1858dc8f2eeb7055deaf67c9be0c5843ab65f8552
SHA2562681ffd55d8fdf3d1f6494c45a6087ff93c90f80a63890864cb5b9ee2e3fc4b1
SHA512b3cda4e72e90164111120ac5a043e35f140fe0d680637aa10c5f0d9110cf14c685286c401655cc3ad544dc475dbe454d9306a1dcc08d5ac2da1bfbe42d1899c6