Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:51
Static task
static1
Behavioral task
behavioral1
Sample
e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe
Resource
win10v2004-20241007-en
General
-
Target
e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe
-
Size
559KB
-
MD5
48a5656cab568cdfdc48b7fedbf9d9ff
-
SHA1
e349711f9df63b330375829f05ee73a6672b8fe0
-
SHA256
e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597
-
SHA512
b951fe7d6c9e89030dfadc2b7a5fc811c87db9e182f219a570e413545d60876770fcd3fbe6049ea9b0d95235c88eab2ab8f367976af6ecf696a2ea008fe60cc2
-
SSDEEP
6144:6pp0yN90QESDCQWB/+C1IiTvje5ei1QAOgWp6x0iHZEcLuwmiQk1FlFe0KgxNAH8:Vy90QATWei1Qdf6uWZEcq/uxcHF6mo
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b96-12.dat healer behavioral1/memory/3664-15-0x0000000000BA0000-0x0000000000BAA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it216302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it216302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it216302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it216302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it216302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it216302.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2900-22-0x0000000004CF0000-0x0000000004D2C000-memory.dmp family_redline behavioral1/memory/2900-24-0x00000000077A0000-0x00000000077DA000-memory.dmp family_redline behavioral1/memory/2900-34-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-32-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-30-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-28-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-62-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-26-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-25-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-88-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-86-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-84-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-82-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-80-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-78-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-76-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-74-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-72-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-70-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-68-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-66-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-64-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-60-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-58-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-56-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-54-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-52-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-50-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-48-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-46-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-44-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-42-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-40-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-38-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline behavioral1/memory/2900-36-0x00000000077A0000-0x00000000077D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3688 ziYz4971.exe 3664 it216302.exe 2900 kp129623.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it216302.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziYz4971.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp129623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziYz4971.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3664 it216302.exe 3664 it216302.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3664 it216302.exe Token: SeDebugPrivilege 2900 kp129623.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3196 wrote to memory of 3688 3196 e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe 83 PID 3196 wrote to memory of 3688 3196 e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe 83 PID 3196 wrote to memory of 3688 3196 e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe 83 PID 3688 wrote to memory of 3664 3688 ziYz4971.exe 86 PID 3688 wrote to memory of 3664 3688 ziYz4971.exe 86 PID 3688 wrote to memory of 2900 3688 ziYz4971.exe 93 PID 3688 wrote to memory of 2900 3688 ziYz4971.exe 93 PID 3688 wrote to memory of 2900 3688 ziYz4971.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe"C:\Users\Admin\AppData\Local\Temp\e43e26437c49079425df6bfd6997cb8052123c99d41a2f8ce159a80cc0f85597.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYz4971.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYz4971.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it216302.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it216302.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp129623.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp129623.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD53a98744ae07096897d5e836db1d6eaf7
SHA157d5268f2c03b515603165232f3ca69e3410c766
SHA256f1f015bfaa7c9e866481c6bf1be4aaef38396af6bb127ea7d0c57fc336e03a5f
SHA512fbec3c80782063718ef568f01084733ee6a9293025d3a6f526dd3a87c914b3e2adaf04e2450d121295bafda4c899d71c07b77422d1d58a05e26935bd44d2c0e0
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
351KB
MD5dbcd89859aa74dc4bbd20605091cfaea
SHA13f1b14a0c3dcec34ece5227b9430dd2fc06bdae8
SHA256fea212bc32fda135b9b7c266cbd266ccd58f5d4b1c70b0b29cf555516de68d0e
SHA512ed7518545078249908077b58260f2666804b0d689d24719d8e757a9279f40382d13db56b6a86328461d027fd05f43eb18ec3bed2102f801c8e82f0b3a7a3a91a