Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe
Resource
win10v2004-20241007-en
General
-
Target
25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe
-
Size
376KB
-
MD5
f4632d0554b52c10926b0a47e6677fc2
-
SHA1
24492a0bc5def56cb7ea620e6db4941eef32e3ed
-
SHA256
25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1
-
SHA512
765b9353d5119f4fcb06e3d02e62bcb9ebb1d7d6e09b0f6ca9a226c01ccd3629f830a9f6e1475ff987fad36e4213b14f5c8ce524ffd750c1a8e23715989da08c
-
SSDEEP
6144:KSy+bnr+Gp0yN90QESAdtTgtiG6opOIOKfv04EcXM0Php+FE8yfQhqWAqWacIGK0:iMr+y908ArUtr7OKUmzhp+YYhqWARacL
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8141651.exe healer behavioral1/memory/4380-15-0x00000000007F0000-0x00000000007FA000-memory.dmp healer -
Healer family
-
Processes:
a8141651.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a8141651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8141651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8141651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8141651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8141651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8141651.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1522924.exe family_redline behavioral1/memory/4480-21-0x0000000000F30000-0x0000000000F58000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
v2632558.exea8141651.exeb1522924.exepid process 2584 v2632558.exe 4380 a8141651.exe 4480 b1522924.exe -
Processes:
a8141651.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8141651.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exev2632558.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2632558.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2468 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exev2632558.exeb1522924.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2632558.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1522924.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a8141651.exepid process 4380 a8141651.exe 4380 a8141651.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a8141651.exedescription pid process Token: SeDebugPrivilege 4380 a8141651.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exev2632558.exedescription pid process target process PID 4472 wrote to memory of 2584 4472 25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe v2632558.exe PID 4472 wrote to memory of 2584 4472 25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe v2632558.exe PID 4472 wrote to memory of 2584 4472 25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe v2632558.exe PID 2584 wrote to memory of 4380 2584 v2632558.exe a8141651.exe PID 2584 wrote to memory of 4380 2584 v2632558.exe a8141651.exe PID 2584 wrote to memory of 4480 2584 v2632558.exe b1522924.exe PID 2584 wrote to memory of 4480 2584 v2632558.exe b1522924.exe PID 2584 wrote to memory of 4480 2584 v2632558.exe b1522924.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe"C:\Users\Admin\AppData\Local\Temp\25c6aca107ceb747763bb331b297a15750ecbc4bad01daa788e43c6af6ece9e1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632558.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632558.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8141651.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8141651.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1522924.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1522924.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2468
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD509b443cfc7943915e739ec0e7224b9dc
SHA1afaeb63b9f1685d1df9332a09dfa591399e7ac63
SHA256baa51ce5aa70db9da87c3665e2b0774d7e7179c66fb0335d0ba1289231e3bff5
SHA5127886db84506ea521395dd0829a611e3a19a9c11b88c73bd567b18dfc7ee527a13b4be815085cd5b09b062d88327bf3a1e98afad8c6f9f65e91739d87e0c7f984
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
136KB
MD530d0ee0947be55272def37f502e40d83
SHA167dec087565870ddbba362f33bc909491d56f0d7
SHA256876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514
SHA5120b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284