Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe
Resource
win10v2004-20241007-en
General
-
Target
77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe
-
Size
696KB
-
MD5
7621ff0c69dd40b75ebc17bd6c7b0ebe
-
SHA1
665d3a307221c17106ff9cea820c4930b5261174
-
SHA256
77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977
-
SHA512
480e8df0a6c2accfe44cc7c6d7172f1d05ab2db36c7459be9f8438a71c92fc2c7316e5a83ca930af9c8ae4cf1bac14722225cf4409c87225062eeda62fceaf88
-
SSDEEP
12288:Gy90+H3mYCpof4/Ytko4MWlm/SPTHqFX6wQsywZUhVqoEXY:Gy/X+pU4/YGaW4aPTKFqwQDMoEXY
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4552-18-0x0000000004DA0000-0x0000000004DBA000-memory.dmp healer behavioral1/memory/4552-20-0x0000000004E20000-0x0000000004E38000-memory.dmp healer behavioral1/memory/4552-46-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-48-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-44-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-42-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-40-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-38-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-36-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-34-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-32-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-30-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-28-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-26-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-24-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-22-0x0000000004E20000-0x0000000004E33000-memory.dmp healer behavioral1/memory/4552-21-0x0000000004E20000-0x0000000004E33000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 89533053.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 89533053.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 89533053.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 89533053.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 89533053.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 89533053.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3860-59-0x0000000007160000-0x000000000719C000-memory.dmp family_redline behavioral1/memory/3860-60-0x00000000077C0000-0x00000000077FA000-memory.dmp family_redline behavioral1/memory/3860-64-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-62-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-61-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-76-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-92-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-90-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-88-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-86-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-85-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-80-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-78-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-74-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-72-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-70-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-68-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-66-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-94-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline behavioral1/memory/3860-82-0x00000000077C0000-0x00000000077F5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3808 un141819.exe 4552 89533053.exe 3860 rk992039.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 89533053.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 89533053.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un141819.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4868 4552 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un141819.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89533053.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk992039.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4552 89533053.exe 4552 89533053.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4552 89533053.exe Token: SeDebugPrivilege 3860 rk992039.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2336 wrote to memory of 3808 2336 77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe 83 PID 2336 wrote to memory of 3808 2336 77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe 83 PID 2336 wrote to memory of 3808 2336 77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe 83 PID 3808 wrote to memory of 4552 3808 un141819.exe 84 PID 3808 wrote to memory of 4552 3808 un141819.exe 84 PID 3808 wrote to memory of 4552 3808 un141819.exe 84 PID 3808 wrote to memory of 3860 3808 un141819.exe 101 PID 3808 wrote to memory of 3860 3808 un141819.exe 101 PID 3808 wrote to memory of 3860 3808 un141819.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe"C:\Users\Admin\AppData\Local\Temp\77ada19603fa36e360862322a82d3504f0ba4af56090cec2feb53e0031ae1977.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un141819.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un141819.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\89533053.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\89533053.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 10044⤵
- Program crash
PID:4868
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk992039.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk992039.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4552 -ip 45521⤵PID:2912
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD5a7b6c9d6f58a6eb34b4f17ee84dd1dee
SHA1b6d9b939a6fbf91b0c97c872634ee1b21ba9a1c9
SHA2569b1c25ea54ce9cfe697a75fbc9778326c1ffafc0e50b57f3dec49fd9bf66ef66
SHA512435e602b829ce7006504ffbf83ccd95a3a4213bce17db68eaccf8cf652ead9dc400b66a44e14e5955ceaae8262acd43153c326cd73b579e6958eb231e57f2dd1
-
Filesize
258KB
MD584de8726ee5e8d49432b32ece01b94ba
SHA1168cf9d1eb020d550580315daf0d3500420baa55
SHA25612c0e0bd5f3025a9e1441729b8c1693833b4d4fcc2ceef6ad8e413d7b4483332
SHA5120b2abd8507909f599a614fa504ac2e9ee4529beb095f3845c8be6d9c81fffd2d79637a2cba3570271388284be43fa5d6b3413e791acc03db3968f622cf883534
-
Filesize
340KB
MD502d0dbe195d2fc4e281384edd9697950
SHA1658bab9c58f340ddca1921bcbc37e30bc11aea11
SHA2563dfb8951bfbba185734e46569cd9cbe81b92f1a2aa4466e21248d3e5eea6e4cc
SHA512ee5e4181772e2f40257363788e02ac4fa4cfb2d3192738c738c9477f1b524fbc98697b5c81099a344ba0c01c80593d758f00f88bbdb7e5552e0ee3f8dcb201b3