Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe
Resource
win10v2004-20241007-en
General
-
Target
2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe
-
Size
479KB
-
MD5
ca8d7a0661410bf79dfc807242fdae5d
-
SHA1
28c435f3d48db88296d938cbfd48c3876e1319e5
-
SHA256
2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3
-
SHA512
94395083679c0fcbff8da7270fc70ad630403fe47c42ecb7ec5cde7e01c2f047a5e01fde5c9142a3cbce506ddfa41b46b528c887fcabf633cd4c24de83e97bad
-
SSDEEP
12288:VMrqy908SCutxrXRDR8wt5kLQQbX5eD/YOHPiTU:fyDSPhfG/peDwOL
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2424-15-0x00000000020A0000-0x00000000020BA000-memory.dmp healer behavioral1/memory/2424-20-0x00000000023A0000-0x00000000023B8000-memory.dmp healer behavioral1/memory/2424-42-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-48-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-46-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-44-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-40-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-38-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-36-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-34-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-32-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-30-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-28-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-26-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-24-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-22-0x00000000023A0000-0x00000000023B2000-memory.dmp healer behavioral1/memory/2424-21-0x00000000023A0000-0x00000000023B2000-memory.dmp healer -
Healer family
-
Processes:
k3605247.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k3605247.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k3605247.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k3605247.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k3605247.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k3605247.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k3605247.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c49-54.dat family_redline behavioral1/memory/4880-56-0x00000000007B0000-0x00000000007D8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
y8614845.exek3605247.exel8687869.exepid Process 3936 y8614845.exe 2424 k3605247.exe 4880 l8687869.exe -
Processes:
k3605247.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k3605247.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k3605247.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exey8614845.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8614845.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exey8614845.exek3605247.exel8687869.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y8614845.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k3605247.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l8687869.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
k3605247.exepid Process 2424 k3605247.exe 2424 k3605247.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
k3605247.exedescription pid Process Token: SeDebugPrivilege 2424 k3605247.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exey8614845.exedescription pid Process procid_target PID 2512 wrote to memory of 3936 2512 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe 83 PID 2512 wrote to memory of 3936 2512 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe 83 PID 2512 wrote to memory of 3936 2512 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe 83 PID 3936 wrote to memory of 2424 3936 y8614845.exe 84 PID 3936 wrote to memory of 2424 3936 y8614845.exe 84 PID 3936 wrote to memory of 2424 3936 y8614845.exe 84 PID 3936 wrote to memory of 4880 3936 y8614845.exe 98 PID 3936 wrote to memory of 4880 3936 y8614845.exe 98 PID 3936 wrote to memory of 4880 3936 y8614845.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe"C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4880
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5b4c43a1e60e00e171ca62e619db2535b
SHA18e9fa77173df4d83d779cfd78015072ce8514aaf
SHA2564023883d1c7ff4edc7598924065033f3ca86a465e54259efbdc6751d5de14f5a
SHA51228f23dfb2bd16258e0ec2f34eec3e146f0b87a35909b73b1a23ab0a2fdb4dd31bfcbf1648d3201d1adbe7c2b9b90e047705a95141ad45c9348b7af84626ad7ea
-
Filesize
175KB
MD5debf3046e1cd137d50c54602f9c82451
SHA19443adf1fdc055c629650638aa43cdce5d0c2258
SHA25628c5bb5bbe53c2c791e175a2647e55b5660d95fb530d774502cd13130f46512b
SHA512e1b1c9b3b3600a808448100d94f3e0618c97b2eff92472efe122d378d5b030b10b4d6b5cce11bb7107e944f0ae2c973544fb245985c210a670e906e0455dff80
-
Filesize
137KB
MD5e01341871106094e8cdf0f49c7800369
SHA16d2c17a7ff9037f4e0834998946f29b59fb2bf18
SHA2561627fba719a0532e9de3309a3d08e01378f87ad934cb78c16d6ebf9ee8e0a0a7
SHA512a1fb562757d8956983aea2e06f2ede71b978a24dc5afe56ded11e4ca372da3750e130a807572c5094688a7ffec450248e3bc7ea3cf4106f49453e7c39d42b9b5