Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe
Resource
win10v2004-20241007-en
General
-
Target
e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe
-
Size
690KB
-
MD5
e695215c0ebc790cf5a07f9916eddc8a
-
SHA1
f26fe799df966d262dfbdd3485060019d6a04100
-
SHA256
e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115
-
SHA512
8b53083f0c1de61dfaa13f59fb3d8cf26bd38ebe558446b139cb3d446f2448f52f4c71e8ed206fb852af50740e4810156811f5bb8adfc4e9c1939c8f23975f39
-
SSDEEP
12288:Ry90QdsSxw4BgFycS+KkCA7vJWmSCKw0/lY2ymJ94pH+:Ry9dsn4SPRCA7hWiqG2yAepH+
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4688-19-0x00000000022E0000-0x00000000022FA000-memory.dmp healer behavioral1/memory/4688-21-0x00000000026A0000-0x00000000026B8000-memory.dmp healer behavioral1/memory/4688-27-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-49-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-47-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-45-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-43-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-39-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-37-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-35-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-33-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-31-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-29-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-25-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-23-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-22-0x00000000026A0000-0x00000000026B3000-memory.dmp healer behavioral1/memory/4688-41-0x00000000026A0000-0x00000000026B3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 10844405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 10844405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 10844405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 10844405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 10844405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 10844405.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3144-60-0x0000000002470000-0x00000000024AC000-memory.dmp family_redline behavioral1/memory/3144-61-0x0000000004A70000-0x0000000004AAA000-memory.dmp family_redline behavioral1/memory/3144-67-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-75-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-95-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-91-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-89-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-87-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-85-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-83-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-81-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-79-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-73-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-71-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-69-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-93-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-77-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-65-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-63-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3144-62-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3672 un843442.exe 4688 10844405.exe 3144 rk878743.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 10844405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 10844405.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un843442.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2884 4688 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10844405.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk878743.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un843442.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4688 10844405.exe 4688 10844405.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4688 10844405.exe Token: SeDebugPrivilege 3144 rk878743.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1636 wrote to memory of 3672 1636 e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe 83 PID 1636 wrote to memory of 3672 1636 e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe 83 PID 1636 wrote to memory of 3672 1636 e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe 83 PID 3672 wrote to memory of 4688 3672 un843442.exe 84 PID 3672 wrote to memory of 4688 3672 un843442.exe 84 PID 3672 wrote to memory of 4688 3672 un843442.exe 84 PID 3672 wrote to memory of 3144 3672 un843442.exe 99 PID 3672 wrote to memory of 3144 3672 un843442.exe 99 PID 3672 wrote to memory of 3144 3672 un843442.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe"C:\Users\Admin\AppData\Local\Temp\e95f36a6ecf7da6823f51f80114ac30b788e7543590402a44c0b644656bca115.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un843442.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un843442.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10844405.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10844405.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 10804⤵
- Program crash
PID:2884
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878743.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878743.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4688 -ip 46881⤵PID:2232
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD5af96a3cf4bd90cbf15e6914b8bdda515
SHA12ab8367f98e007234666ce45b8cd3d34fef8f634
SHA256ebb53151e45d664e33fced799428820100e661fd468b8ed450a43620e1b1aa22
SHA51238d4365df1800b2542347ce599f62906aca827df193f84742407e8c9d7e37a52f61d88561863f5e86226fb1880fd4a8faf8243b167521cdcf97fb1839b163c0c
-
Filesize
259KB
MD5c0041a30823c607df3f43f22e55120d1
SHA112d384fc70b48b0e443b0dc7c23451d03a125058
SHA256bef4ada4296027b45cc08d85fb5af4c16498b66c8c080f10710f32ce5fac2f5b
SHA5129034fc141273776252cb3aaf2862a4c0cdec595eef13cabbb29f984bb2261abb29dcda970adc523b1692912809320fe9a09fedaa806b9fc82384a3aa1327211e
-
Filesize
341KB
MD5c6882aeea25d1072efa4387f49d75795
SHA1957d95e77e31e2d5ba64308d82128f3e6568ba5c
SHA256635262b19724137ef2fa26eb5585172ed476f8de0a667a962b3a0e2014349aad
SHA5121e5b2c52880805d4ee0758e3c48ed0e5f6333cc06e0278e833df3db796e55a79612e6c03e1fb70f6d8d034d7c4261064386072565fcb796e1522d566866f77cb