Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe
Resource
win10v2004-20241007-en
General
-
Target
d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe
-
Size
1.1MB
-
MD5
34328170db11ad354c5b1d97d3a4417b
-
SHA1
a76b0ac19515f02b886fec4804e3c80ebe198397
-
SHA256
d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b
-
SHA512
091f61764bdb380acf5aed04a13531752f797cc4f28dc1358f4fe6bdb74c941b3ac1b7af71b62cc793da3b2363b535607ae02e824d6e49e15815e3c1f90870ce
-
SSDEEP
24576:uyTkWpByCYv/m3qkbRPZMlQeqPYF6FfzNHNcX:9sv+3pMFI/S
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1432-23-0x00000000025B0000-0x00000000025CA000-memory.dmp healer behavioral1/memory/1432-25-0x0000000002960000-0x0000000002978000-memory.dmp healer behavioral1/memory/1432-27-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-51-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-49-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-47-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-45-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-53-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-43-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-41-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-39-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-37-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-36-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-33-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-31-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-29-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/1432-26-0x0000000002960000-0x0000000002972000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr040660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr040660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr040660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr040660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr040660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr040660.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4428-62-0x0000000002730000-0x000000000276C000-memory.dmp family_redline behavioral1/memory/4428-63-0x0000000004E50000-0x0000000004E8A000-memory.dmp family_redline behavioral1/memory/4428-85-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-89-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-95-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-93-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-91-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-87-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-83-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-81-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-79-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-78-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-76-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-73-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-71-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-97-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-69-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-67-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-65-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline behavioral1/memory/4428-64-0x0000000004E50000-0x0000000004E85000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 756 un507582.exe 1864 un341590.exe 1432 pr040660.exe 4428 qu193303.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr040660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr040660.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un507582.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un341590.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5076 1432 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un507582.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un341590.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr040660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu193303.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1432 pr040660.exe 1432 pr040660.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1432 pr040660.exe Token: SeDebugPrivilege 4428 qu193303.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2572 wrote to memory of 756 2572 d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe 83 PID 2572 wrote to memory of 756 2572 d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe 83 PID 2572 wrote to memory of 756 2572 d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe 83 PID 756 wrote to memory of 1864 756 un507582.exe 84 PID 756 wrote to memory of 1864 756 un507582.exe 84 PID 756 wrote to memory of 1864 756 un507582.exe 84 PID 1864 wrote to memory of 1432 1864 un341590.exe 85 PID 1864 wrote to memory of 1432 1864 un341590.exe 85 PID 1864 wrote to memory of 1432 1864 un341590.exe 85 PID 1864 wrote to memory of 4428 1864 un341590.exe 96 PID 1864 wrote to memory of 4428 1864 un341590.exe 96 PID 1864 wrote to memory of 4428 1864 un341590.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe"C:\Users\Admin\AppData\Local\Temp\d2330b4795e0c8f02dd3177b3ddafa77123e5816f5cd8eb4a5068b4339e65a7b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un507582.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un507582.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un341590.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un341590.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr040660.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr040660.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 10845⤵
- Program crash
PID:5076
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu193303.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu193303.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1432 -ip 14321⤵PID:2088
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD54c170a269454d617c99eac51091a3c04
SHA1113bc17495867a111aad255d3c0ea90beaf420c9
SHA256bf6ab1c3f77b4e81cc08be6361b49639952e1308297a0f9a5ef0d4c77d66aab3
SHA5128749bc0143c0343da4f002b374c4d94ca16211fa33ed474e3f79ebf2846c2529defcc9e6de01619b072c8168f1e69210b0c97c2e707af87ef7f3eadfcd34de5b
-
Filesize
608KB
MD54ba6245487920667017c57610c8e39e5
SHA152c7b700baac8d38fa9a188ce4f25e24d5496631
SHA25663c00984d91a34e6f48da8546ff786065eba2c8ede8d975efabbd6a195d8fc46
SHA512981675de73839562af31ec5c5005eed1ee28b28ff0c64fe2aadf4fe84f37b52d77e32e7005b5be47bc6c6cd01eb19458048c84fa4d76f58c8e3dd4abf7ecc1e1
-
Filesize
403KB
MD56db92a6e0383dc6ff3b3b64c95dc799a
SHA1e86337ec577ba681ff83cc03d57d2b990dfd9643
SHA256e1d9786b00bf685db3dfa6ff3bf6bc491053108fc2cc580d43c3cd4028375c21
SHA5122ace8cc63f4e6a43164b8cab4a44f7e23c3bfacb85f3d0747e27762acf116d73424cbebb6ae2dbe958a7699156db88d2655ccbdb82b15b7a6a05a67873248997
-
Filesize
485KB
MD57dc3821a5539333c7c1d2aeafe95e152
SHA1f6cd39d881409bace78a932318ba5d9368022ac0
SHA25659a1732fd5cfb534da068452c1460f437a618aa97c671b80b6a57c67ab4eb387
SHA5126026d8840f2e14a4e85ed6526a2e42871dfb0c621fb1594f2c894b73557fab113acc89b9c067df78a7d8f5f5bf429ab8d76c4a5da0f53c1db6c82f76b02cb713