Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe
Resource
win10v2004-20241007-en
General
-
Target
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe
-
Size
1.2MB
-
MD5
d590cf00aa88c6f2efc2247370e7c086
-
SHA1
ecb3bd7dac1730ffd24da32d59dfcf78c9ccee07
-
SHA256
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0
-
SHA512
12c3278414f37ab4782a673f7b545778fbc6bf6b7636dc58124ec26a777b8c11b8344529ca98b4f0f6acb0d77a5136e3dd1562d3564f82ef34e7eac6ce299b82
-
SSDEEP
24576:IYAVCfN05jEKvD1eqB6QLUIHZinS07gPUSko5622+s:IY1NsVN654ZiE1ko5Q+
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral2/memory/4780-28-0x0000000002570000-0x000000000258A000-memory.dmp healer behavioral2/memory/4780-30-0x0000000002820000-0x0000000002838000-memory.dmp healer behavioral2/memory/4780-58-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-56-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-54-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-52-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-50-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-48-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-46-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-44-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-42-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-40-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-38-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-36-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-34-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-32-0x0000000002820000-0x0000000002832000-memory.dmp healer behavioral2/memory/4780-31-0x0000000002820000-0x0000000002832000-memory.dmp healer -
Healer family
-
Processes:
108042834.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 108042834.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 108042834.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
Processes:
resource yara_rule behavioral2/memory/464-70-0x00000000025D0000-0x000000000260C000-memory.dmp family_redline behavioral2/memory/464-71-0x00000000029A0000-0x00000000029DA000-memory.dmp family_redline behavioral2/memory/464-85-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-95-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-103-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-101-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-97-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-93-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-91-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-89-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-87-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-83-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-81-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-79-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-99-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-77-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-75-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-73-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral2/memory/464-72-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
kM904164.exeVJ798040.exe108042834.exe280070123.exepid process 2808 kM904164.exe 1944 VJ798040.exe 4780 108042834.exe 464 280070123.exe -
Processes:
108042834.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 108042834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 108042834.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
kM904164.exeVJ798040.exe3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kM904164.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" VJ798040.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2236 4780 WerFault.exe 108042834.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
280070123.exe3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exekM904164.exeVJ798040.exe108042834.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280070123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kM904164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VJ798040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 108042834.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
108042834.exepid process 4780 108042834.exe 4780 108042834.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
108042834.exe280070123.exedescription pid process Token: SeDebugPrivilege 4780 108042834.exe Token: SeDebugPrivilege 464 280070123.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exekM904164.exeVJ798040.exedescription pid process target process PID 1784 wrote to memory of 2808 1784 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1784 wrote to memory of 2808 1784 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 1784 wrote to memory of 2808 1784 3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe kM904164.exe PID 2808 wrote to memory of 1944 2808 kM904164.exe VJ798040.exe PID 2808 wrote to memory of 1944 2808 kM904164.exe VJ798040.exe PID 2808 wrote to memory of 1944 2808 kM904164.exe VJ798040.exe PID 1944 wrote to memory of 4780 1944 VJ798040.exe 108042834.exe PID 1944 wrote to memory of 4780 1944 VJ798040.exe 108042834.exe PID 1944 wrote to memory of 4780 1944 VJ798040.exe 108042834.exe PID 1944 wrote to memory of 464 1944 VJ798040.exe 280070123.exe PID 1944 wrote to memory of 464 1944 VJ798040.exe 280070123.exe PID 1944 wrote to memory of 464 1944 VJ798040.exe 280070123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe"C:\Users\Admin\AppData\Local\Temp\3d2f664fee01b4e614dcdf33a8e55a7af68b034e25aeca9f101fa747d4a4fec0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 10845⤵
- Program crash
PID:2236
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4780 -ip 47801⤵PID:1352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
770KB
MD5392d34a4d3a736bccc6091e3839a6fce
SHA1ec072e2b2e599bd3b7abc27a1254f4176cefbe6c
SHA256e653e474a8d9fbfc811c2b091216d42aac7fbed5e5c3b1191c93060663084865
SHA512e65dbb131c1f719606a44d6e76d78b9106fe25fb539396d8da759ead27bd437e76f6b6198bd4c6b9979b7676ef3247eca11eccc07a0b24732f503836825207f9
-
Filesize
599KB
MD59693154f9e43acf85dc6444f65286c02
SHA19c70122819655c156fd116cd68c82956778fb036
SHA256a33ce1ef82f0eeab1079ad1d0b8ee6b0502df369e83bd8d396cc613e50c0d3c7
SHA512ff4c434440972afaa5d3e257da5cde9427f9993457da2bf59331d68235f78d019b3d25f5598c585916e949f3828a6603ecf778b933976364be4727f7753fcf8a
-
Filesize
396KB
MD55b1333c144f250b941047b543caee016
SHA1ba2e842670998d0ebe45dd93f82993af4f4353f9
SHA256f7c8b4d2fb6998fd65b37ab652e736ac8cd06fb434dcbc9f18242dd766cab20a
SHA512890d85988c79957ab8743a6b53bb00b0510375b404ed439d7885d6a7bf613f8c44fa012362b9c5afca931e489cccb7fc6d1a1ed497e000c37470b12606936dcc
-
Filesize
478KB
MD5753e8fdb43c01050b6df9d07136cb46b
SHA1a8f6a4d318b991785bbd444d0f691b345ddde226
SHA256257da5b41af249faa681721127bb9ff0bfd9ae9dceaf09d9be50904296cd2f22
SHA512f9065a7b7aa0c04ca8cbd4d522f3e1aa7280f00afc80405900207d03dbd710f7566ed30bfa8bfe2a56fcba8613144d384c2c4406eb239f80bb75d34bd14071d5