Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe
Resource
win10v2004-20241007-en
General
-
Target
da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe
-
Size
690KB
-
MD5
0cc581cf14c4ca70d35c901df43b682f
-
SHA1
d0537f1552e509b59b212a7e77c577187c147942
-
SHA256
da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b
-
SHA512
e2392ce4099ddc79b9a5069b3817e679740b638d3ea25f7977a498e683248e5a2d115d2f3de5ca3b0cdf3dae78189e8bd162040ebb0ff47cb61b1feac033ed48
-
SSDEEP
12288:Iy90C5Q3ygkjuY9sStK91gp20p6DWx0+5E2FmBiOsh:IyU3tY/wJ66DCu2FYkh
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4516-19-0x00000000022F0000-0x000000000230A000-memory.dmp healer behavioral1/memory/4516-21-0x00000000024A0000-0x00000000024B8000-memory.dmp healer behavioral1/memory/4516-29-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-49-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-48-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-45-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-44-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-41-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-40-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-37-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-35-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-33-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-31-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-27-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-25-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-23-0x00000000024A0000-0x00000000024B3000-memory.dmp healer behavioral1/memory/4516-22-0x00000000024A0000-0x00000000024B3000-memory.dmp healer -
Healer family
-
Processes:
72077345.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 72077345.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 72077345.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 72077345.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 72077345.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 72077345.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 72077345.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-61-0x00000000023E0000-0x000000000241C000-memory.dmp family_redline behavioral1/memory/1980-62-0x0000000002530000-0x000000000256A000-memory.dmp family_redline behavioral1/memory/1980-70-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-78-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-96-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-94-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-92-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-90-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-88-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-84-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-82-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-81-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-76-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-74-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-72-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-86-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-68-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-66-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-64-0x0000000002530000-0x0000000002565000-memory.dmp family_redline behavioral1/memory/1980-63-0x0000000002530000-0x0000000002565000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un853383.exe72077345.exerk487298.exepid process 1744 un853383.exe 4516 72077345.exe 1980 rk487298.exe -
Processes:
72077345.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 72077345.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 72077345.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
un853383.exeda0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un853383.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4896 4516 WerFault.exe 72077345.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exeun853383.exe72077345.exerk487298.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un853383.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72077345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk487298.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
72077345.exepid process 4516 72077345.exe 4516 72077345.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
72077345.exerk487298.exedescription pid process Token: SeDebugPrivilege 4516 72077345.exe Token: SeDebugPrivilege 1980 rk487298.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exeun853383.exedescription pid process target process PID 3512 wrote to memory of 1744 3512 da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe un853383.exe PID 3512 wrote to memory of 1744 3512 da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe un853383.exe PID 3512 wrote to memory of 1744 3512 da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe un853383.exe PID 1744 wrote to memory of 4516 1744 un853383.exe 72077345.exe PID 1744 wrote to memory of 4516 1744 un853383.exe 72077345.exe PID 1744 wrote to memory of 4516 1744 un853383.exe 72077345.exe PID 1744 wrote to memory of 1980 1744 un853383.exe rk487298.exe PID 1744 wrote to memory of 1980 1744 un853383.exe rk487298.exe PID 1744 wrote to memory of 1980 1744 un853383.exe rk487298.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe"C:\Users\Admin\AppData\Local\Temp\da0f4b326af173c8e18b81fd44d60781e4cdbaa5534ee796949f2271be08ab3b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853383.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853383.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72077345.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72077345.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 10844⤵
- Program crash
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk487298.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk487298.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4516 -ip 45161⤵PID:564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD5f6043c69dc8a95bbba087d237c446f2f
SHA1cdc4a51999a446e93b3ebd6af6657b6c83923cbd
SHA2566b17ce91fe300f579a38556e2982f04098c02cec5f9773adac5f3d263065c287
SHA5121b33555d3c3bd87d0d32148e72ec2faebe02de40157b327407601fe011317a881b7d7d9aa141ed8cf5ca60b14b714ad3eb6fb7025d0f099fff61197f9c579eaa
-
Filesize
259KB
MD5fac26d26057036165f80251224bd5e46
SHA152141d23857d86a20d2ae79e7c8895bc4ab1f7d9
SHA25670f3442c6c6e161851e20eea47197194d6604a37160568de10f336742dd498ce
SHA512a5d289bf7ce2c625a153ba1f2896c495ff6b4d21b55fdf0630da1fefee0a8c82e22a1b43657a75aea0c239fcb7bbf238805500c66df9e68fac10f7e5a349c176
-
Filesize
341KB
MD527775a80249f4bb95d64ca226ff9fc68
SHA169d68f0be1988fc0edfae1befac310303b7417d3
SHA256dca6b9adbf4046859080f88f8b7b8c8e3732e998b987366ff7a79e20ee9d3b29
SHA512f880f0e61d9783b6d6faf423ed3a70b41b6ae3c85b80ca6d30975dadb66d948db0b61c9c75a816aa0628174a2f932a9d1d197af589bf8eb4423a1db4b8995e02