Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe
Resource
win10v2004-20241007-en
General
-
Target
c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe
-
Size
704KB
-
MD5
abbcda65bf1c4e30e14532d6c0b36d22
-
SHA1
79266536c2e50532f878529eb988b50910ff893e
-
SHA256
c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1
-
SHA512
3daff1252d295e389b4d5afd6ceb76c330368cc39122d8da4ad95d6d19d3947da11f8beb6d586b4dbe25e2402e0b1bbf2a29a834fb3088f75517bca6e19728ef
-
SSDEEP
12288:My90+gojs5HDCJYB/AOzcgx9scZojPfEF9miMZaTbIiZty1gSWZjvDs:MyRgs4HDBHAo9R+jfs9miAa3cgf1Y
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/980-18-0x00000000070D0000-0x00000000070EA000-memory.dmp healer behavioral1/memory/980-20-0x0000000007150000-0x0000000007168000-memory.dmp healer behavioral1/memory/980-26-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-48-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-47-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-44-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-43-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-40-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-39-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-36-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-34-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-32-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-30-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-29-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-24-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-22-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/980-21-0x0000000007150000-0x0000000007162000-memory.dmp healer -
Healer family
-
Processes:
pr736607.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr736607.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr736607.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr736607.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr736607.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr736607.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr736607.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4160-60-0x00000000049B0000-0x00000000049EC000-memory.dmp family_redline behavioral1/memory/4160-61-0x0000000004A90000-0x0000000004ACA000-memory.dmp family_redline behavioral1/memory/4160-69-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-77-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-95-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-91-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-89-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-87-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-86-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-81-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-79-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-75-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-73-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-71-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-67-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-93-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-83-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-65-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-63-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline behavioral1/memory/4160-62-0x0000000004A90000-0x0000000004AC5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un834213.exepr736607.exequ943508.exepid process 2924 un834213.exe 980 pr736607.exe 4160 qu943508.exe -
Processes:
pr736607.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr736607.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr736607.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exeun834213.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un834213.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4808 980 WerFault.exe pr736607.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exeun834213.exepr736607.exequ943508.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un834213.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr736607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu943508.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr736607.exepid process 980 pr736607.exe 980 pr736607.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr736607.exequ943508.exedescription pid process Token: SeDebugPrivilege 980 pr736607.exe Token: SeDebugPrivilege 4160 qu943508.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exeun834213.exedescription pid process target process PID 844 wrote to memory of 2924 844 c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe un834213.exe PID 844 wrote to memory of 2924 844 c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe un834213.exe PID 844 wrote to memory of 2924 844 c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe un834213.exe PID 2924 wrote to memory of 980 2924 un834213.exe pr736607.exe PID 2924 wrote to memory of 980 2924 un834213.exe pr736607.exe PID 2924 wrote to memory of 980 2924 un834213.exe pr736607.exe PID 2924 wrote to memory of 4160 2924 un834213.exe qu943508.exe PID 2924 wrote to memory of 4160 2924 un834213.exe qu943508.exe PID 2924 wrote to memory of 4160 2924 un834213.exe qu943508.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe"C:\Users\Admin\AppData\Local\Temp\c6ce1316fe2dbd7a91d0510d66a7557d69180dcf17d99b6171cd8fd6a9dd86d1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834213.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834213.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr736607.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr736607.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 10924⤵
- Program crash
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu943508.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu943508.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 980 -ip 9801⤵PID:4068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD5e88debb1e2dc07489a2edf627bd557ea
SHA177446c00c7db7dae3b33cebbffbfc33606d31b3b
SHA2566f46132c1f67f86b338cf4c6b12dfddbb20fc5ea05c487c9d169fcb5d6100cb2
SHA512def6e7a62f21673d1211d810dbd3f48e4ce89ff7b0fa29d90590d4321a66dbb6cf0b3da05e207c33e9f9422090d7cf1d12d30de2cead20624cc0c8d194a919d3
-
Filesize
286KB
MD562bc5bfbf472208f1e06e76c0c654c9e
SHA1897d8859f26be592b4b95075a00d20886c81eabb
SHA2567c652762a194775f36f175524e34d6db233cf71b233ebc903ec733f9b73e7858
SHA512c6f4463b55fba52c2a421f985e893f464964f1a2aa6a43a745a585ca2d2c8c173be0d074f03b51bb8250711583d031df0fd1737dfeb9ecc855ee97a452d7493f
-
Filesize
368KB
MD5e7d892dca8c5aae1a9ea968aa82341be
SHA124c4a9b0c674ee9378108885d805a12ceee5a8b9
SHA256c77eef5a8c668dc5e90328353b8d5593b926a4ec93e043f9fa39df8361993abc
SHA512401223f098743a34226be891dc3d0ee3fbed2725cb6668a654b1cc509e8943bb5236014ce4ad7c09d31a84854f059c5fdbba651b799a82123f977f5f25a8d214