Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe
Resource
win10v2004-20241007-en
General
-
Target
dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe
-
Size
1.6MB
-
MD5
7e0243623b857c121f5b1472ebedf15e
-
SHA1
eeb6d6fb4e82ef6789fb2beb87410db75c078c4f
-
SHA256
dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9
-
SHA512
29cc5aa2445c2b04e0ec0302e02d887aa80fe46d1435fc941ad8cfd1075ab9f21e9726300b9ecea7e57fec92221e407b7ba607f46fc97f4add3382382c3c2871
-
SSDEEP
24576:1yZ15D64pP6PHYw3H0zHDJWh28p0kJdd7rGH2PCErg36XoTkqW:QzNpprvzcjpaH2b064F
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4060-36-0x00000000024F0000-0x000000000250A000-memory.dmp healer behavioral1/memory/4060-38-0x0000000002910000-0x0000000002928000-memory.dmp healer behavioral1/memory/4060-60-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-66-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-64-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-62-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-58-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-56-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-54-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-52-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-50-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-46-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-42-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-40-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-39-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-48-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/4060-44-0x0000000002910000-0x0000000002922000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a9213063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9213063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9213063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9213063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9213063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9213063.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0031000000023b73-71.dat family_redline behavioral1/memory/1096-73-0x0000000000C50000-0x0000000000C78000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 1376 v1800365.exe 1252 v0537702.exe 1328 v0742795.exe 3348 v2381200.exe 4060 a9213063.exe 1096 b5588832.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a9213063.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a9213063.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v2381200.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1800365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0537702.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0742795.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4268 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 532 4060 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1800365.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0537702.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0742795.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2381200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9213063.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5588832.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4060 a9213063.exe 4060 a9213063.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4060 a9213063.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2224 wrote to memory of 1376 2224 dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe 85 PID 2224 wrote to memory of 1376 2224 dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe 85 PID 2224 wrote to memory of 1376 2224 dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe 85 PID 1376 wrote to memory of 1252 1376 v1800365.exe 86 PID 1376 wrote to memory of 1252 1376 v1800365.exe 86 PID 1376 wrote to memory of 1252 1376 v1800365.exe 86 PID 1252 wrote to memory of 1328 1252 v0537702.exe 87 PID 1252 wrote to memory of 1328 1252 v0537702.exe 87 PID 1252 wrote to memory of 1328 1252 v0537702.exe 87 PID 1328 wrote to memory of 3348 1328 v0742795.exe 89 PID 1328 wrote to memory of 3348 1328 v0742795.exe 89 PID 1328 wrote to memory of 3348 1328 v0742795.exe 89 PID 3348 wrote to memory of 4060 3348 v2381200.exe 90 PID 3348 wrote to memory of 4060 3348 v2381200.exe 90 PID 3348 wrote to memory of 4060 3348 v2381200.exe 90 PID 3348 wrote to memory of 1096 3348 v2381200.exe 98 PID 3348 wrote to memory of 1096 3348 v2381200.exe 98 PID 3348 wrote to memory of 1096 3348 v2381200.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe"C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 10927⤵
- Program crash
PID:532
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4060 -ip 40601⤵PID:748
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5b55ad87ef640c7d75d99a9eb142ec35d
SHA1979b455c0e87ac54aa54d6cc3acf84e8a3eeff73
SHA256954282ad28a8ec76ccb25f927dbdb230af8c4eac1f6774ad010ddb4b2695fe7e
SHA5123919a0bcf7e53cd3f28f5f827dbe3c342061cd1c1fdd628a508656f959f267f37994f52b6d39e5947ff3cd2ed72432b4561d6f4abb47817ec273d07546ea12a6
-
Filesize
918KB
MD5cdeebbf183cff42af59c3064a45a6745
SHA1870d0575d8e685e9c8f7120ede941440b7155866
SHA256435594a8a0f4c091777c138a33ea80d797d2f429ef32ed0daccb5a8f41f27267
SHA512bbff02fcbeea5ab01f435d798913cc46f68f8f5c0bd13804a21820b197128fa73816fbf2e4ee5374aaa54d3be4a0a9284fcf5adc2031dcaa7a88102b6eea5958
-
Filesize
713KB
MD5624c2e06674925ddbf8bfc9edc5aef49
SHA1b45310d3b36983d2dde33c5e7d670bb04b2fdf21
SHA25622f5ffeca42e6f8f7cd8c64f2e33cb88afb3c2d25d95ac9c125375ac562de508
SHA512fa9df26b4ae55a1745907ff39b70aef28de3413ea752529ba736e587ed8823da44b36c4d95ada3c51601d083dc916c8ba452dd51f24c9bd6609afb81a66c3955
-
Filesize
422KB
MD5daedbe8b6f2b882a5bf440ca550a36a2
SHA1d445edfaa610f2dc86f707bb1c0240ae5d926939
SHA256e14fb7b6793d508b9a1b101c4981cad6a3f4fd22506df24ac9a07b0d4623aa34
SHA5126a7629542a1dfdb09d34df68a8b852aa72cb9f79bb660b8237c7b30d26e55ad902285662c72446060900ea30685d3d8604524c9cc50f272db97258248ea932fe
-
Filesize
371KB
MD5d164a15a6715b1449e48992e23c75324
SHA144f26eca1bdba87ac73a8332637447ad4c65c438
SHA256200f022205104eec6502c7d015fd321be23848980723e10ca994794b7db82539
SHA512e98e5d19ffd994190b5f02f5daed75659800e43341ba09828f5ece5d0a5c7054564ea59432c77521e73c65b6996ed04f3dbacf41c1afcc4a400154e85ca4e89c
-
Filesize
136KB
MD5da341720b0eacf2badc07aa857fef144
SHA17be509c5a7038a34d7f03fa19a1fefb79188658d
SHA2569c46dd8250a557918b5d62824ee9d61c7a05047cede509e9605077514c3297c7
SHA5123c05ef2d2c92d40f28d796909a3b93ace2f8e8651f1febeaffc7718c3e8d1e30f84c972be413f05aed9ed42faec679ad965718ead4fe78e929a2011f8b9e5be0