Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 12:56
Static task
static1
Behavioral task
behavioral1
Sample
db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe
Resource
win10v2004-20241007-en
General
-
Target
db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe
-
Size
746KB
-
MD5
3336b8eb59844721b05fab0f97c626c0
-
SHA1
df737d894bb823d3d8db969c028703a9038ac6da
-
SHA256
db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70
-
SHA512
6d1323f947d670f35a6b3285f62a3b04f9461015d88883c2e4fa02c74f25f933dd5de2ca4e5bd45513b5ac9a2aa86d6dc33f3747019706389164d6490d59bb98
-
SSDEEP
12288:Ny90zYmEL3+jcd0xb44XN/cR1Ag9LZkV10p4XfSDVTtS:NywrlN/cwg9mD7XfQBS
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/5064-19-0x0000000000AD0000-0x0000000000AEA000-memory.dmp healer behavioral1/memory/5064-21-0x0000000002640000-0x0000000002658000-memory.dmp healer behavioral1/memory/5064-47-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-49-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-45-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-43-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-41-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-39-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-37-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-35-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-33-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-31-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-29-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-27-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-25-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-23-0x0000000002640000-0x0000000002652000-memory.dmp healer behavioral1/memory/5064-22-0x0000000002640000-0x0000000002652000-memory.dmp healer -
Healer family
-
Processes:
89754803.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 89754803.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 89754803.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 89754803.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 89754803.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 89754803.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 89754803.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3684-60-0x00000000027D0000-0x000000000280C000-memory.dmp family_redline behavioral1/memory/3684-61-0x0000000004E10000-0x0000000004E4A000-memory.dmp family_redline behavioral1/memory/3684-65-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-71-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-95-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-93-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-91-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-87-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-85-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-83-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-81-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-79-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-75-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-69-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-67-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-89-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-77-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-73-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-63-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline behavioral1/memory/3684-62-0x0000000004E10000-0x0000000004E45000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un981626.exe89754803.exerk855620.exepid Process 1416 un981626.exe 5064 89754803.exe 3684 rk855620.exe -
Processes:
89754803.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 89754803.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 89754803.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
un981626.exedb8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un981626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 684 5064 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rk855620.exedb8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exeun981626.exe89754803.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk855620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un981626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89754803.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
89754803.exepid Process 5064 89754803.exe 5064 89754803.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
89754803.exerk855620.exedescription pid Process Token: SeDebugPrivilege 5064 89754803.exe Token: SeDebugPrivilege 3684 rk855620.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exeun981626.exedescription pid Process procid_target PID 1880 wrote to memory of 1416 1880 db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe 83 PID 1880 wrote to memory of 1416 1880 db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe 83 PID 1880 wrote to memory of 1416 1880 db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe 83 PID 1416 wrote to memory of 5064 1416 un981626.exe 84 PID 1416 wrote to memory of 5064 1416 un981626.exe 84 PID 1416 wrote to memory of 5064 1416 un981626.exe 84 PID 1416 wrote to memory of 3684 1416 un981626.exe 99 PID 1416 wrote to memory of 3684 1416 un981626.exe 99 PID 1416 wrote to memory of 3684 1416 un981626.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe"C:\Users\Admin\AppData\Local\Temp\db8e85d12381c668b33d9c7420c7c9211ae10cf9b090d94b00feae4c8695cc70N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un981626.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un981626.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\89754803.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\89754803.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 10644⤵
- Program crash
PID:684
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk855620.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk855620.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5064 -ip 50641⤵PID:3940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD52ab7b8a1fafe8436a048510d839807a2
SHA11f1a16de3ec020597fbb65ec3a7687f5431e999b
SHA256b7bd9b8cca5e8ab7d5a94b0650807034e7faaf80ed29d6d05efc05619f8db58d
SHA5124baac17a97c44c92d7ccee724cb40e92dbf0c0fd3c8e77b2a073a26a82db4784d265105c0c9a5b0918386dd1508338eed60ee680889842c57e8831cddcf1d52d
-
Filesize
376KB
MD501792e52d66f82fcf38fceb8b46d9624
SHA149595c06b7072484a4266cd9d5dfcf184caa20a1
SHA256d79356c68374e5ba2aea5b0b0357cd1166646a1eb15a598a5d3caff1cf282a24
SHA51240e46636d81dbca9bf17db5d8cf5a9de227dcc4afe31e968764ed23f1cb316746c9102066d346a6fba01c6017cd1fcea29e60203005181ffb895004617ea6fa6
-
Filesize
459KB
MD5d762123bf53f326eafc97aa71033821d
SHA11b4c0b9516c7df80e48cce951801376ca91e6e61
SHA256ec38d5f974035dc2536c9f73a3391f2981be86c0d27b72df217ef1d4660e3d50
SHA51273e2c10712beeabf8f6bb30858f0bcc761f1b9199631406d71d7dce4f2135fe428616ffc3e89ec38507cacef5761eda88edeb07da0ce401d0b66425c8e3bca7d