Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:36
Static task
static1
Behavioral task
behavioral1
Sample
955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe
Resource
win10v2004-20241007-en
General
-
Target
955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe
-
Size
690KB
-
MD5
60b21539ecd57098faec643a8ad1325b
-
SHA1
8b670d2d46fc78e8f8f29be6970ec8cc73a4e75d
-
SHA256
955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63
-
SHA512
8939c9499c226b9326f6bb720d204c0b4567ed477db41381c51ccdf00e98e2c45e66183322ceed0c7ac022697a11f969ef4e9c2ae0df75fa5c338c4058132ef1
-
SSDEEP
12288:by90VNDBZb7UNEK3RnNS/K4Im4AdyteLVxhR0sKfb2ym+kuX:byKDPUNB3Iim43texxTKz2yvrX
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2800-19-0x0000000002380000-0x000000000239A000-memory.dmp healer behavioral1/memory/2800-21-0x00000000049F0000-0x0000000004A08000-memory.dmp healer behavioral1/memory/2800-22-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-49-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-47-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-45-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-43-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-41-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-39-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-37-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-35-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-33-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-31-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-29-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-27-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-25-0x00000000049F0000-0x0000000004A03000-memory.dmp healer behavioral1/memory/2800-23-0x00000000049F0000-0x0000000004A03000-memory.dmp healer -
Healer family
-
Processes:
47764990.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 47764990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 47764990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 47764990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 47764990.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 47764990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 47764990.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1020-61-0x00000000024E0000-0x000000000251C000-memory.dmp family_redline behavioral1/memory/1020-62-0x0000000004A60000-0x0000000004A9A000-memory.dmp family_redline behavioral1/memory/1020-66-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-86-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-97-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-94-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-93-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-90-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-88-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-84-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-82-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-80-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-78-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-76-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-74-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-72-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-70-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-68-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-64-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/1020-63-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un287348.exe47764990.exerk306350.exepid Process 2196 un287348.exe 2800 47764990.exe 1020 rk306350.exe -
Processes:
47764990.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 47764990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 47764990.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exeun287348.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un287348.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 996 2800 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
un287348.exe47764990.exerk306350.exe955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un287348.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47764990.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk306350.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
47764990.exepid Process 2800 47764990.exe 2800 47764990.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
47764990.exerk306350.exedescription pid Process Token: SeDebugPrivilege 2800 47764990.exe Token: SeDebugPrivilege 1020 rk306350.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exeun287348.exedescription pid Process procid_target PID 4656 wrote to memory of 2196 4656 955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe 83 PID 4656 wrote to memory of 2196 4656 955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe 83 PID 4656 wrote to memory of 2196 4656 955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe 83 PID 2196 wrote to memory of 2800 2196 un287348.exe 84 PID 2196 wrote to memory of 2800 2196 un287348.exe 84 PID 2196 wrote to memory of 2800 2196 un287348.exe 84 PID 2196 wrote to memory of 1020 2196 un287348.exe 99 PID 2196 wrote to memory of 1020 2196 un287348.exe 99 PID 2196 wrote to memory of 1020 2196 un287348.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe"C:\Users\Admin\AppData\Local\Temp\955cf549414927f3c0e750697515eafd1373a71e3bac7b3d7a90e6bd834c3b63.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un287348.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un287348.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47764990.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47764990.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 10884⤵
- Program crash
PID:996
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk306350.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk306350.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2800 -ip 28001⤵PID:5112
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD5d7f5d5396951417d14ca787e07fab222
SHA102f61860a7f77e874fd2c2e63f3f1fcb710d9013
SHA256272b59e93882835b6a6787b2ac77eebbc85c4483d90b2911954b6b3df64a1b34
SHA512d07e9980d1fd4541d15dcdb9b9735f1aff2b4d1b5baf8521feabc6259c80cc21b60fa636af23003210d88be7d33bd5f2630949825ae5357dddd416fa84e79e1e
-
Filesize
259KB
MD5f7c6d08f6fcdadcb2c1220d9d76c49cf
SHA1ed0eb68b0ad31a0550b20ec43dc002e56fa154e6
SHA25652f2c5b12848266cda3351c1e1a02f84a6938d645f347c223fd6fe194d6096c6
SHA512696a1fb263af06407bf8a06c96af5ae624aef8af8ef225aa83c2b7d38f2065b8195e4579a7594896f460d64b2cdb08f961fe7c75bd7e0f1f38335cb35d71d25b
-
Filesize
341KB
MD57b3f5d71d3243761565d9c9fa752d0b7
SHA1c8394f59c307cc22a4599e7c89514eb31a08fccf
SHA25668ed4d61c3026da0fe38f08510de6426db891a37446fdf8a278fa21c33e079f0
SHA512d01ed08d85f7623d3549432df1422ea62d84501779bf6af2ad6ca9679d1af30a4cadd2c73d9775e14ee3968467528531f9d27e74ca00956c7d0d1b7aee44834f