Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:41
Static task
static1
Behavioral task
behavioral1
Sample
096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe
Resource
win10v2004-20241007-en
General
-
Target
096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe
-
Size
651KB
-
MD5
211da635053410bb6ae38f902bebb709
-
SHA1
03786eb1eab085019b744b85b80f236ed6ff4fa0
-
SHA256
096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b
-
SHA512
d316d194a85975ed66763c41d16e9d5ce86d9b8a6a5dc5de67c1aa6653259b1ba71cca86020a4887f807c1d5e8837553bc924ea6f7ddaa98a985dced78590692
-
SSDEEP
12288:Dy90iZBWIbgG+LWZQxPi2iagFucbrG4rwMswsTBuACf:DyBl+CwPwFPbK4rwMsXTQh
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3396-15-0x00000000020B0000-0x00000000020CA000-memory.dmp healer behavioral1/memory/3396-18-0x0000000004F60000-0x0000000004F78000-memory.dmp healer behavioral1/memory/3396-19-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-46-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-45-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-42-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-40-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-38-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-36-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-34-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-32-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-24-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-30-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-28-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-27-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-22-0x0000000004F60000-0x0000000004F73000-memory.dmp healer behavioral1/memory/3396-20-0x0000000004F60000-0x0000000004F73000-memory.dmp healer -
Healer family
-
Processes:
27820816.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 27820816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 27820816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 27820816.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 27820816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 27820816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 27820816.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
Processes:
resource yara_rule behavioral1/memory/5072-56-0x0000000002560000-0x000000000259C000-memory.dmp family_redline behavioral1/memory/5072-57-0x0000000004A40000-0x0000000004A7A000-memory.dmp family_redline behavioral1/memory/5072-61-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-73-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-93-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-89-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-87-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-85-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-84-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-79-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-77-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-75-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-71-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-69-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-67-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-65-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-63-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-91-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-81-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-59-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline behavioral1/memory/5072-58-0x0000000004A40000-0x0000000004A75000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
st563732.exe27820816.exekp684552.exepid Process 116 st563732.exe 3396 27820816.exe 5072 kp684552.exe -
Processes:
27820816.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 27820816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 27820816.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exest563732.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st563732.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exest563732.exe27820816.exekp684552.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st563732.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27820816.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp684552.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
27820816.exepid Process 3396 27820816.exe 3396 27820816.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
27820816.exekp684552.exedescription pid Process Token: SeDebugPrivilege 3396 27820816.exe Token: SeDebugPrivilege 5072 kp684552.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exest563732.exedescription pid Process procid_target PID 2308 wrote to memory of 116 2308 096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe 83 PID 2308 wrote to memory of 116 2308 096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe 83 PID 2308 wrote to memory of 116 2308 096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe 83 PID 116 wrote to memory of 3396 116 st563732.exe 84 PID 116 wrote to memory of 3396 116 st563732.exe 84 PID 116 wrote to memory of 3396 116 st563732.exe 84 PID 116 wrote to memory of 5072 116 st563732.exe 92 PID 116 wrote to memory of 5072 116 st563732.exe 92 PID 116 wrote to memory of 5072 116 st563732.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe"C:\Users\Admin\AppData\Local\Temp\096f2ca5221f50256a542cb4a08142a91878ca8c3d6fb4d82fc0bc2ef975176b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st563732.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st563732.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\27820816.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\27820816.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp684552.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp684552.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496KB
MD5a0df480fc3d1f3da3a1a34801d40c1ef
SHA1f7b1f9bc7cbb75e56ca516222fa4e47927b9ce95
SHA2561db8a825dfa321b62c905e51f6c52f2873fd75d809b5db830f496acb4249abbf
SHA5123b684e898f1e53156efe20893808e968f8daf194685ccb46395b96188e73bc89294e147a05aa0363dacfedd6544168f12a5770dc6e08092b1c54199a260b8abb
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
341KB
MD50d4d27ddde0962faff34baaf29f97317
SHA1ad33927726ae40f131cadd942fc506f0558d96f2
SHA256cae246f41ca5e037ab8e7c7f4d8298ba635d7b439e7616fa527d858110d4b517
SHA512f03575917ccf71ba2e802ff9d6337392e58897a7cd7be309769b3c27ba7e277226b468e486ad8829fc82a564e9dfca283a6b54605fe27e76117840116ebe765f