Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:36
Static task
static1
Behavioral task
behavioral1
Sample
3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe
Resource
win10v2004-20241007-en
General
-
Target
3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe
-
Size
704KB
-
MD5
3ee0b87db42039bb780222af37ff6ea0
-
SHA1
cd92b6a8b1c9e244c2b6ded813b14a0dc66375af
-
SHA256
3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946
-
SHA512
31298474eb864774c500fbb1858c1fefa93cbdb49deff85e554b0de416b378ed2e62e11ce375d674e25420f890a5620adf0f2c87f6264683273a7568c8c281fd
-
SSDEEP
12288:7y90p7q977L4vvc/D+5uXBV1l3MKX/cmaA5+w12Vd0Dw:7yn9nL4vvcbkuTDMKPczA8y2VaDw
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2032-17-0x0000000004D00000-0x0000000004D1A000-memory.dmp healer behavioral1/memory/2032-20-0x0000000007280000-0x0000000007298000-memory.dmp healer behavioral1/memory/2032-48-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-46-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-45-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-42-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-40-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-38-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-36-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-34-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-32-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-30-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-28-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-26-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-24-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-22-0x0000000007280000-0x0000000007292000-memory.dmp healer behavioral1/memory/2032-21-0x0000000007280000-0x0000000007292000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr794042.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr794042.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr794042.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr794042.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr794042.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr794042.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1852-60-0x0000000007140000-0x000000000717C000-memory.dmp family_redline behavioral1/memory/1852-61-0x00000000077A0000-0x00000000077DA000-memory.dmp family_redline behavioral1/memory/1852-67-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-79-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-95-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-93-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-91-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-90-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-87-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-86-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-83-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-81-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-77-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-75-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-73-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-71-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-69-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-65-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-63-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/1852-62-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4736 un412700.exe 2032 pr794042.exe 1852 qu470029.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr794042.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr794042.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un412700.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2064 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3588 2032 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un412700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr794042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu470029.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2032 pr794042.exe 2032 pr794042.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2032 pr794042.exe Token: SeDebugPrivilege 1852 qu470029.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4440 wrote to memory of 4736 4440 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe 83 PID 4440 wrote to memory of 4736 4440 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe 83 PID 4440 wrote to memory of 4736 4440 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe 83 PID 4736 wrote to memory of 2032 4736 un412700.exe 84 PID 4736 wrote to memory of 2032 4736 un412700.exe 84 PID 4736 wrote to memory of 2032 4736 un412700.exe 84 PID 4736 wrote to memory of 1852 4736 un412700.exe 100 PID 4736 wrote to memory of 1852 4736 un412700.exe 100 PID 4736 wrote to memory of 1852 4736 un412700.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe"C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 10884⤵
- Program crash
PID:3588
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2032 -ip 20321⤵PID:3300
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD51b059c8ad9e45de7da7b7f04ad94141a
SHA12e197d0de7a4ebec5b1136bee50512301cdc7eae
SHA256c1788a463d878dd2549601a4fffabc3b9e45fcab7b860f6964e102c28254b2c4
SHA5124eeadcff9fcf9c48080a492d039f08ad4522bdfb624140d0a16a15a31edeb44087b58c86333e78f3596a8c36a6b974a697b684dac99804b75b04be395daa9928
-
Filesize
278KB
MD56c28a70f3e8c1b3d43261558403bd612
SHA101d34e32114397fabb8d65b85c71d0e9afe6b8f9
SHA256f8ff1a28c724bfbbc0ab6332899ac8fcf8e6b054182f1cbceae8619512ef6b0c
SHA512d11f755602146454157d536aad8485cd59aa3c990fdbc5d7c0c8aac116db52cb241f30456a7c7e3b2f3aac72abfda8e652e6a4d2f6d6306f3c352837e70e765f
-
Filesize
359KB
MD57f0c7636ded06e623c4b5de71c6769f8
SHA1ba7ee0668f491498fc7519a91552bf0816a8db68
SHA2561b1d00710dbbdf15fb664f056720ac00267ca9506a92e6fb22ff66bea217219a
SHA512cdd6891500a7eacbed6afb1098689db570ac924fe9aeba544e19bd31861b9bf5f300c42d7c57a2e4373905dcfee57f5733a6f832157bb0f45c33957c6e571f5f