Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe
Resource
win10v2004-20241007-en
General
-
Target
ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe
-
Size
701KB
-
MD5
2b4644251bb0cb94c0d07a9199e3c32d
-
SHA1
48ec72482453a696ffc8c5f49f2d6f9f460754f7
-
SHA256
ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5
-
SHA512
bf630a0df47224976fb1932eb400b7aa51da252736f7c44c381966297b0b40e19d2d743688165323798e6e845c707ed736694058efd89c2434cd96b80a69f99d
-
SSDEEP
12288:Iy90nZ+7eLVXmi+dlPXvf2k4lgG92nEG28o9w2Whl/3prBiWCJDm:IyiaDPvmZGqwHDRrBiHJq
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1124-18-0x00000000049A0000-0x00000000049BA000-memory.dmp healer behavioral1/memory/1124-20-0x00000000076F0000-0x0000000007708000-memory.dmp healer behavioral1/memory/1124-36-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-48-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-46-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-45-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-42-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-40-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-38-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-35-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-32-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-30-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-29-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-26-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-24-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-22-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1124-21-0x00000000076F0000-0x0000000007702000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 33728620.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 33728620.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 33728620.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 33728620.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 33728620.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 33728620.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4544-59-0x0000000004A90000-0x0000000004ACC000-memory.dmp family_redline behavioral1/memory/4544-60-0x0000000004D50000-0x0000000004D8A000-memory.dmp family_redline behavioral1/memory/4544-66-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-88-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-94-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-90-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-86-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-84-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-82-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-80-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-78-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-76-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-74-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-72-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-70-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-68-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-92-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-64-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-62-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline behavioral1/memory/4544-61-0x0000000004D50000-0x0000000004D85000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1140 un572067.exe 1124 33728620.exe 4544 rk761900.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 33728620.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 33728620.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un572067.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3272 1124 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un572067.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33728620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk761900.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1124 33728620.exe 1124 33728620.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1124 33728620.exe Token: SeDebugPrivilege 4544 rk761900.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 872 wrote to memory of 1140 872 ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe 85 PID 872 wrote to memory of 1140 872 ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe 85 PID 872 wrote to memory of 1140 872 ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe 85 PID 1140 wrote to memory of 1124 1140 un572067.exe 86 PID 1140 wrote to memory of 1124 1140 un572067.exe 86 PID 1140 wrote to memory of 1124 1140 un572067.exe 86 PID 1140 wrote to memory of 4544 1140 un572067.exe 100 PID 1140 wrote to memory of 4544 1140 un572067.exe 100 PID 1140 wrote to memory of 4544 1140 un572067.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe"C:\Users\Admin\AppData\Local\Temp\ee9ebccfe27092cd9602310dd613b493ae72cd25d7b91d48187583578334a2f5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un572067.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un572067.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\33728620.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\33728620.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 10804⤵
- Program crash
PID:3272
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk761900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk761900.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1124 -ip 11241⤵PID:1112
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD527ef7c18277644fec4cce154013ef5b7
SHA1d3b166a6eeb3e89a3cbb69d046c1f47c7187a22b
SHA256942a365dbcbec2809a8500a00b528cbe2eed07de845b42d7744cd384cbec49f9
SHA512831d4cbaee3dfcec53bd8009db0a6b2032b6b1b1252c19496b4dd8e0329b9f48ac68e8ea514841e5bc337dd867e2a7333c61a489be3403c4a6b6b7049f6d9dff
-
Filesize
269KB
MD51f0b39e9e2d9f900a4991d2e437260e4
SHA1dc0a24bcb9084d8da420fa33820c75de990137fa
SHA256aebcbbf7ec44423910b676ac4501d4ee6934a4c78bc919a52367646a29f555de
SHA512144147bf706b8e776cd3a877d053164207f7e17954f96956bb8418885d9d06eee6573ca169946537bb71f3df64a13acadf8c46cf4f3fe7b006b224d6c761e821
-
Filesize
353KB
MD5432f08b28a2d2ef57d8d73c801d2d94b
SHA1214b025ffd747086320b213f4c53cc149ae99d27
SHA256da1baf3709c2a84cf56d26965825db6c456074ec388c47b4cda3780e3eba0216
SHA5123dd8c85d286fc8162be1e327965d592fe80f090b561a931cd0bdf3fa7c53b414bca12a7fe29d56440c1c5889c0d70cb01d533f81dec8de6d4cd0e72463bb9200