Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe
Resource
win10v2004-20241007-en
General
-
Target
36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe
-
Size
1.1MB
-
MD5
4471abe4f4baf096b4fb6d4172e867e4
-
SHA1
f1ed2d508a1ac4b19e9704b4bcd3b4d16fade619
-
SHA256
36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1
-
SHA512
6ced794b583b290f14abe4c9360b8fb9d009acf8902d2d8e5f78ba7b8047df378260b74bec090b2e3687870d5d5b5dd07d0846b20964728116dfe471eb257547
-
SSDEEP
24576:oybYM4AJg5wC7Mqvzn3vI6FZjQ2XeQMI9tz4dN:vMM7jCgkn3vEqeJa4d
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3460-23-0x0000000002560000-0x000000000257A000-memory.dmp healer behavioral1/memory/3460-25-0x0000000004DA0000-0x0000000004DB8000-memory.dmp healer behavioral1/memory/3460-53-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-51-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-50-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-48-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-42-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-34-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3460-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr311338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr311338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr311338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr311338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr311338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr311338.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2660-62-0x00000000027A0000-0x00000000027DC000-memory.dmp family_redline behavioral1/memory/2660-63-0x00000000053A0000-0x00000000053DA000-memory.dmp family_redline behavioral1/memory/2660-64-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-77-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-97-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-95-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-93-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-91-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-89-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-87-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-85-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-83-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-81-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-79-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-75-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-73-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-71-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-69-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-67-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline behavioral1/memory/2660-65-0x00000000053A0000-0x00000000053D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2516 un701221.exe 3396 un481006.exe 3460 pr311338.exe 2660 qu845831.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr311338.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr311338.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un701221.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un481006.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3172 3460 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un701221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un481006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr311338.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu845831.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3460 pr311338.exe 3460 pr311338.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3460 pr311338.exe Token: SeDebugPrivilege 2660 qu845831.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 344 wrote to memory of 2516 344 36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe 84 PID 344 wrote to memory of 2516 344 36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe 84 PID 344 wrote to memory of 2516 344 36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe 84 PID 2516 wrote to memory of 3396 2516 un701221.exe 85 PID 2516 wrote to memory of 3396 2516 un701221.exe 85 PID 2516 wrote to memory of 3396 2516 un701221.exe 85 PID 3396 wrote to memory of 3460 3396 un481006.exe 87 PID 3396 wrote to memory of 3460 3396 un481006.exe 87 PID 3396 wrote to memory of 3460 3396 un481006.exe 87 PID 3396 wrote to memory of 2660 3396 un481006.exe 98 PID 3396 wrote to memory of 2660 3396 un481006.exe 98 PID 3396 wrote to memory of 2660 3396 un481006.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe"C:\Users\Admin\AppData\Local\Temp\36fbc6d1768b7b0c67734a892a23aca07f5964ebc1f3151bd381e4449dc560c1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un701221.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un701221.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un481006.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un481006.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr311338.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr311338.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 10405⤵
- Program crash
PID:3172
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu845831.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu845831.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3460 -ip 34601⤵PID:804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
763KB
MD53e1bdc3efa17956df350eba61b794b8d
SHA1e82f0225fe0aca19484b08f40dcbdd8b124d2d61
SHA256a632a216a93d4171054d5f869f757f96da7b1b528493de79d5634eb1cabb1d91
SHA5124973eb168c4c3f0f61448f470c9ad8e8da8b5c3b2892805568f959a80519d2a9482562a6286b8ac64887d539578a889b8c763fa1dfbdc4e146b6d5a42464c259
-
Filesize
609KB
MD511b5ae9f658c693fd1d8aee91ebdd89f
SHA18741732c2229e0f871ef9bb254f690dc808539af
SHA256ad4499cea2f878aeeaa5b32b39cb11cbf8d88558d820ce1153a8160c32ea4792
SHA512ed503ed081f31f76616062019b802612373ccdcabc2a00709656fe2a6b3d2af1dbb4a255120aa48d9e3b67831c868fd924b3490833fd507764a49c5e77af5bb2
-
Filesize
405KB
MD5755e51266c7ed92f1f429bee8de9a433
SHA105b4b65ea07beaa1a9dce22009c12dd587013a21
SHA256d86ab9779e95c056cd9eaba34b4aedd09addb066a066d708b7f4fd3e321b330d
SHA5125aba3ba7cb87cc1cd9115a5d5fa2bab440c8fbdeafbf312fb5361bc19ce54bfcb056cecf894b372f02de3053f834dc22db3a8b244d642ed7da40dc9a14a89276
-
Filesize
487KB
MD5d9a482ec9603de116280ac6f8c9fbb55
SHA1be8a5f9c46f7d46b319d09d3dc61bce858021ffe
SHA256f37d23f1be24c5a11cc58b1c816cfec85aea48545c3668b64177addac09eb4bf
SHA5126322835ebb0b79df5f46883d17a65d0b733d29315e121347f9c31a5b56038555a5db17b151dee224878e2b3a4c7d82291717d6396bc5f7b3f1dcd5dba4ef5794