Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe
Resource
win10v2004-20241007-en
General
-
Target
0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe
-
Size
751KB
-
MD5
e4b1bf53f0d007059cb74594933a6811
-
SHA1
7e6fd0ac3a3e4ac728156030864a75504397c8b2
-
SHA256
0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e
-
SHA512
7fb42058ba73357dfd4cd1041e121fb7e52748309a3840f555375a2b4322e385ffbb73e7e4752e22cc471b28d531b5da1087d741f30de927249074785ab65231
-
SSDEEP
12288:Py90Di6WpZBupXTAB7xxmKIVYWaxaEL0eTrl30MPuxmvtIEC4gZRvFJlQ4yNCUuK:PysWHsTAt6KIutxa4Trt4qC3ZJNwNC+x
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-19-0x0000000002880000-0x000000000289A000-memory.dmp healer behavioral1/memory/1304-21-0x0000000004DB0000-0x0000000004DC8000-memory.dmp healer behavioral1/memory/1304-41-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-49-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-47-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-45-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-43-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-39-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-37-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-35-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-33-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-31-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-29-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-27-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-23-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-25-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/1304-22-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer -
Healer family
-
Processes:
97657439.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 97657439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 97657439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 97657439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 97657439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 97657439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 97657439.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4940-60-0x0000000002830000-0x000000000286C000-memory.dmp family_redline behavioral1/memory/4940-61-0x0000000004DF0000-0x0000000004E2A000-memory.dmp family_redline behavioral1/memory/4940-79-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-83-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-81-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-95-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-93-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-89-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-87-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-85-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-77-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-75-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-73-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-91-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-71-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-69-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-67-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-65-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-63-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline behavioral1/memory/4940-62-0x0000000004DF0000-0x0000000004E25000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un603417.exe97657439.exerk653019.exepid process 1060 un603417.exe 1304 97657439.exe 4940 rk653019.exe -
Processes:
97657439.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 97657439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 97657439.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exeun603417.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un603417.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exeun603417.exe97657439.exerk653019.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un603417.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97657439.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk653019.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
97657439.exepid process 1304 97657439.exe 1304 97657439.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
97657439.exerk653019.exedescription pid process Token: SeDebugPrivilege 1304 97657439.exe Token: SeDebugPrivilege 4940 rk653019.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exeun603417.exedescription pid process target process PID 5024 wrote to memory of 1060 5024 0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe un603417.exe PID 5024 wrote to memory of 1060 5024 0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe un603417.exe PID 5024 wrote to memory of 1060 5024 0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe un603417.exe PID 1060 wrote to memory of 1304 1060 un603417.exe 97657439.exe PID 1060 wrote to memory of 1304 1060 un603417.exe 97657439.exe PID 1060 wrote to memory of 1304 1060 un603417.exe 97657439.exe PID 1060 wrote to memory of 4940 1060 un603417.exe rk653019.exe PID 1060 wrote to memory of 4940 1060 un603417.exe rk653019.exe PID 1060 wrote to memory of 4940 1060 un603417.exe rk653019.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe"C:\Users\Admin\AppData\Local\Temp\0c917aadd93b36059c7b37cd67e94d04b2ae6ea6588c186df7ecd4ef46d0429e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un603417.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un603417.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97657439.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97657439.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk653019.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk653019.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597KB
MD5500e06569ccba6d2e3f07b83de33dcd6
SHA1285b78bf7cb2df54124adbe46770c3a77d308f0e
SHA2565af465c97bdf9d54d6d0d79ce7e5768db23c63700a6d28fdf43fb82d5c6b5a47
SHA512c10a3d8eac4e3975a45ba3843429f86fd95f59708ca3d75edaa2f74cbdb74a5787c26161aff60d8d6d04bc031a91bd2633893bfb456a60b261ced407bc0862da
-
Filesize
377KB
MD546b5b926bdcb581190d1a0da7a9c2a83
SHA19c251e4903dd9d38d4934c5de1c696355e46b477
SHA2568c35a87a3b8a42e8f6e7bfb84b6032b27cdb268701f2d74b3cae7de323080b49
SHA512f11732d463e752702e6019584260f51954622876b264f9ef51484559b4d814ef7221e63f60dfb4e46a3ac1ced0c18fe9a3f9c45f43250339d45d7c731868eded
-
Filesize
459KB
MD50cf7bd91b621dece512d193d5af877e5
SHA110c5301f32d916893860f77486aa63b7ee4e1150
SHA2562302d9ccb137211a19517d77f0b83c5378aeaa36b423ba853e947f11412f8163
SHA5124cec0173b3737d7f5372f7fa1099aceb802d226092d4d4e175d0e8d7e1ddec7921ab6ea551ce52591982a9277d2446839fe7ee3a024e3d32b06714fc48fd76b0