Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:42
Static task
static1
Behavioral task
behavioral1
Sample
9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe
Resource
win10v2004-20241007-en
General
-
Target
9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe
-
Size
943KB
-
MD5
e14d67f96a833eda10a34af650686493
-
SHA1
27511a09716d985b8346bb36be75fad57061a82f
-
SHA256
9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e
-
SHA512
02066436d62e6a5c485d5a138c922c2c73fa6d06f76c1ac6d9149b62210360bc6448df00e5f2949929169bf919b944343b0e893d078d3c6a1fd5e77fa303d326
-
SSDEEP
24576:ay+175cv8OubWb0eDHEj83P2y2Q6b+Gxi3XXtKd4nNI:h+vcIeDH3/T2QqIXtyKN
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3092-22-0x0000000004980000-0x000000000499A000-memory.dmp healer behavioral1/memory/3092-24-0x0000000007150000-0x0000000007168000-memory.dmp healer behavioral1/memory/3092-44-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-52-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-50-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-48-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-46-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-42-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-41-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-38-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-36-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-34-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-32-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-30-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-28-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-26-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3092-25-0x0000000007150000-0x0000000007162000-memory.dmp healer -
Healer family
-
Processes:
pr240863.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr240863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr240863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr240863.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr240863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr240863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr240863.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3412-60-0x00000000049E0000-0x0000000004A1C000-memory.dmp family_redline behavioral1/memory/3412-61-0x00000000077D0000-0x000000000780A000-memory.dmp family_redline behavioral1/memory/3412-73-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-76-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-95-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-93-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-91-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-89-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-87-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-85-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-83-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-81-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-77-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-71-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-69-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-67-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-79-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-65-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-63-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline behavioral1/memory/3412-62-0x00000000077D0000-0x0000000007805000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
un416068.exeun348293.exepr240863.exequ992704.exepid Process 4880 un416068.exe 3580 un348293.exe 3092 pr240863.exe 3412 qu992704.exe -
Processes:
pr240863.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr240863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr240863.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exeun416068.exeun348293.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un416068.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un348293.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2108 3092 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exeun416068.exeun348293.exepr240863.exequ992704.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un416068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un348293.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr240863.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu992704.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr240863.exepid Process 3092 pr240863.exe 3092 pr240863.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr240863.exequ992704.exedescription pid Process Token: SeDebugPrivilege 3092 pr240863.exe Token: SeDebugPrivilege 3412 qu992704.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exeun416068.exeun348293.exedescription pid Process procid_target PID 4160 wrote to memory of 4880 4160 9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe 83 PID 4160 wrote to memory of 4880 4160 9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe 83 PID 4160 wrote to memory of 4880 4160 9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe 83 PID 4880 wrote to memory of 3580 4880 un416068.exe 84 PID 4880 wrote to memory of 3580 4880 un416068.exe 84 PID 4880 wrote to memory of 3580 4880 un416068.exe 84 PID 3580 wrote to memory of 3092 3580 un348293.exe 86 PID 3580 wrote to memory of 3092 3580 un348293.exe 86 PID 3580 wrote to memory of 3092 3580 un348293.exe 86 PID 3580 wrote to memory of 3412 3580 un348293.exe 101 PID 3580 wrote to memory of 3412 3580 un348293.exe 101 PID 3580 wrote to memory of 3412 3580 un348293.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe"C:\Users\Admin\AppData\Local\Temp\9337f25bae5cb0e47ef3d341e2cd27a9759554aa7d77dcae31d29b149e656d2e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un416068.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un416068.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un348293.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un348293.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr240863.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr240863.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 10805⤵
- Program crash
PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu992704.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu992704.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3092 -ip 30921⤵PID:3096
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
695KB
MD541ecec2c31cf78e94badd1b846d49ac8
SHA161065589b50bd06325405d1d08bd4df586632ddf
SHA25646073cfebaea91dabf4776269f77587d82e3ac3895f3f223950353bc7d504be6
SHA512ce152001e0f625473486388361edfa3b611bac491096429477182f49623a8e8afd9c2d4044721582b411b76fb20e626aa20dfa2688256af01fe3b117cba0435f
-
Filesize
540KB
MD582c79715d76efcf0db9bc586af657ea3
SHA19cdb2dc990d3b20b983ccd6742f799131ed72eaa
SHA2562b13287804bbfe2f6a0562c1d249cb5ed41d82a8ead2788123c365a122e0e8f5
SHA5128c4a97ff666e10381270de4cc0bc1766f608b640d56f447beaced6e2617a116f8e20d1615ed87ddf51f09b156659a334204df12f73827da6c4868509cd52f565
-
Filesize
278KB
MD5758ef2da1be905e1b04af7fb9e91603e
SHA199ce123f2cd40fea9bf58b01bf836a2da01d387f
SHA256ba4873a74d578540780be22fe2e50f458ea3e67de15dd0df7e9ad9c64456f09f
SHA51264c036fa345e0b2ad8ad79bd9f7470840dbcd8c8510d6ab2419edba92f57d8239261b7845edd03be70fcfba85102bf2a616a31da396f426bb3048f5baac06f79
-
Filesize
361KB
MD500b7d50e3df5661c106fc99f7a298dd3
SHA17d229bcc7c1abf68c45d9948ff413e822ae982b8
SHA256e48b8d22af5a35329fdfcb6df12d8655a1a7ad317a8720f779193d7bf6802968
SHA5125fc2a25caa45087e6f4ce16d4cce0ed455a57303013c117960c303a712381c4837d62c3648c055e016c54725a3a276e26f510cb12ec0f56c84c5c7211935ce83