Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe
Resource
win10v2004-20241007-en
General
-
Target
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe
-
Size
1.2MB
-
MD5
d590cf00aa88c6f2efc2247370e7c086
-
SHA1
ecb3bd7dac1730ffd24da32d59dfcf78c9ccee07
-
SHA256
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0
-
SHA512
12c3278414f37ab4782a673f7b545778fbc6bf6b7636dc58124ec26a777b8c11b8344529ca98b4f0f6acb0d77a5136e3dd1562d3564f82ef34e7eac6ce299b82
-
SSDEEP
24576:IYAVCfN05jEKvD1eqB6QLUIHZinS07gPUSko5622+s:IY1NsVN654ZiE1ko5Q+
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2312-38-0x0000000002490000-0x00000000024AA000-memory.dmp healer behavioral1/memory/2312-39-0x00000000028E0000-0x00000000028F8000-memory.dmp healer behavioral1/memory/2312-51-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-57-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-67-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-65-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-63-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-61-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-59-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-56-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-53-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-49-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-47-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-45-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-43-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-41-0x00000000028E0000-0x00000000028F2000-memory.dmp healer behavioral1/memory/2312-40-0x00000000028E0000-0x00000000028F2000-memory.dmp healer -
Healer family
-
Processes:
108042834.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 108042834.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 108042834.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
Processes:
resource yara_rule behavioral1/memory/2824-83-0x0000000002950000-0x000000000298C000-memory.dmp family_redline behavioral1/memory/2824-84-0x0000000002990000-0x00000000029CA000-memory.dmp family_redline behavioral1/memory/2824-96-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-102-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-116-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-112-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-111-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-108-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-107-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-104-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-100-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-98-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-114-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-94-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-92-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-90-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-88-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-86-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline behavioral1/memory/2824-85-0x0000000002990000-0x00000000029C5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
kM904164.exeVJ798040.exe108042834.exe280070123.exepid process 2040 kM904164.exe 880 VJ798040.exe 2312 108042834.exe 2824 280070123.exe -
Loads dropped DLL 10 IoCs
Processes:
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exekM904164.exeVJ798040.exe108042834.exe280070123.exepid process 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe 2040 kM904164.exe 2040 kM904164.exe 880 VJ798040.exe 880 VJ798040.exe 880 VJ798040.exe 2312 108042834.exe 880 VJ798040.exe 880 VJ798040.exe 2824 280070123.exe -
Processes:
108042834.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 108042834.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
VJ798040.exe3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exekM904164.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" VJ798040.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kM904164.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exekM904164.exeVJ798040.exe108042834.exe280070123.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kM904164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VJ798040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 108042834.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280070123.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
108042834.exepid process 2312 108042834.exe 2312 108042834.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
108042834.exe280070123.exedescription pid process Token: SeDebugPrivilege 2312 108042834.exe Token: SeDebugPrivilege 2824 280070123.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exekM904164.exeVJ798040.exedescription pid process target process PID 1996 wrote to memory of 2040 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1996 wrote to memory of 2040 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1996 wrote to memory of 2040 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1996 wrote to memory of 2040 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1996 wrote to memory of 2040 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1996 wrote to memory of 2040 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1996 wrote to memory of 2040 1996 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 2040 wrote to memory of 880 2040 kM904164.exe VJ798040.exe PID 2040 wrote to memory of 880 2040 kM904164.exe VJ798040.exe PID 2040 wrote to memory of 880 2040 kM904164.exe VJ798040.exe PID 2040 wrote to memory of 880 2040 kM904164.exe VJ798040.exe PID 2040 wrote to memory of 880 2040 kM904164.exe VJ798040.exe PID 2040 wrote to memory of 880 2040 kM904164.exe VJ798040.exe PID 2040 wrote to memory of 880 2040 kM904164.exe VJ798040.exe PID 880 wrote to memory of 2312 880 VJ798040.exe 108042834.exe PID 880 wrote to memory of 2312 880 VJ798040.exe 108042834.exe PID 880 wrote to memory of 2312 880 VJ798040.exe 108042834.exe PID 880 wrote to memory of 2312 880 VJ798040.exe 108042834.exe PID 880 wrote to memory of 2312 880 VJ798040.exe 108042834.exe PID 880 wrote to memory of 2312 880 VJ798040.exe 108042834.exe PID 880 wrote to memory of 2312 880 VJ798040.exe 108042834.exe PID 880 wrote to memory of 2824 880 VJ798040.exe 280070123.exe PID 880 wrote to memory of 2824 880 VJ798040.exe 280070123.exe PID 880 wrote to memory of 2824 880 VJ798040.exe 280070123.exe PID 880 wrote to memory of 2824 880 VJ798040.exe 280070123.exe PID 880 wrote to memory of 2824 880 VJ798040.exe 280070123.exe PID 880 wrote to memory of 2824 880 VJ798040.exe 280070123.exe PID 880 wrote to memory of 2824 880 VJ798040.exe 280070123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe"C:\Users\Admin\AppData\Local\Temp\3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478KB
MD5753e8fdb43c01050b6df9d07136cb46b
SHA1a8f6a4d318b991785bbd444d0f691b345ddde226
SHA256257da5b41af249faa681721127bb9ff0bfd9ae9dceaf09d9be50904296cd2f22
SHA512f9065a7b7aa0c04ca8cbd4d522f3e1aa7280f00afc80405900207d03dbd710f7566ed30bfa8bfe2a56fcba8613144d384c2c4406eb239f80bb75d34bd14071d5
-
Filesize
770KB
MD5392d34a4d3a736bccc6091e3839a6fce
SHA1ec072e2b2e599bd3b7abc27a1254f4176cefbe6c
SHA256e653e474a8d9fbfc811c2b091216d42aac7fbed5e5c3b1191c93060663084865
SHA512e65dbb131c1f719606a44d6e76d78b9106fe25fb539396d8da759ead27bd437e76f6b6198bd4c6b9979b7676ef3247eca11eccc07a0b24732f503836825207f9
-
Filesize
599KB
MD59693154f9e43acf85dc6444f65286c02
SHA19c70122819655c156fd116cd68c82956778fb036
SHA256a33ce1ef82f0eeab1079ad1d0b8ee6b0502df369e83bd8d396cc613e50c0d3c7
SHA512ff4c434440972afaa5d3e257da5cde9427f9993457da2bf59331d68235f78d019b3d25f5598c585916e949f3828a6603ecf778b933976364be4727f7753fcf8a
-
Filesize
396KB
MD55b1333c144f250b941047b543caee016
SHA1ba2e842670998d0ebe45dd93f82993af4f4353f9
SHA256f7c8b4d2fb6998fd65b37ab652e736ac8cd06fb434dcbc9f18242dd766cab20a
SHA512890d85988c79957ab8743a6b53bb00b0510375b404ed439d7885d6a7bf613f8c44fa012362b9c5afca931e489cccb7fc6d1a1ed497e000c37470b12606936dcc