Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe
Resource
win10v2004-20241007-en
General
-
Target
e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe
-
Size
611KB
-
MD5
9c77d13c19d45847bbc6674d1436c94c
-
SHA1
3d9c508031248b862b8893ef37721b5cbbbe1e6d
-
SHA256
e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef
-
SHA512
3bd76a5e4349019d1943557f724cb844b69b52a41a740045bdef746e711bc7ffa7b0a3da767ed884827887440c7409021d6b83d1bcb432bb35f10e1d9316e988
-
SSDEEP
12288:Dy90BRfZ4hftNsa70rqEQiszG4gNZbPjA4MaFSMnueRYRdMShvkEU38k10XNe3IK:Dy2Rh4hlL70GEQFXmbPjzhC9HrkEa8Eh
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b65-12.dat healer behavioral1/memory/4508-15-0x0000000000BB0000-0x0000000000BBA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 74630165.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 74630165.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 74630165.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 74630165.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 74630165.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 74630165.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3652-22-0x00000000024F0000-0x000000000252C000-memory.dmp family_redline behavioral1/memory/3652-24-0x00000000028A0000-0x00000000028DA000-memory.dmp family_redline behavioral1/memory/3652-34-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-86-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-88-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-84-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-82-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-80-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-78-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-76-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-74-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-72-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-68-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-66-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-64-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-62-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-58-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-56-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-54-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-52-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-50-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-48-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-46-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-42-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-40-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-38-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-36-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-70-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-60-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-44-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-32-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-30-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-28-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-26-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline behavioral1/memory/3652-25-0x00000000028A0000-0x00000000028D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4716 st217114.exe 4508 74630165.exe 3652 kp109025.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 74630165.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st217114.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st217114.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp109025.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4508 74630165.exe 4508 74630165.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4508 74630165.exe Token: SeDebugPrivilege 3652 kp109025.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4192 wrote to memory of 4716 4192 e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe 83 PID 4192 wrote to memory of 4716 4192 e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe 83 PID 4192 wrote to memory of 4716 4192 e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe 83 PID 4716 wrote to memory of 4508 4716 st217114.exe 84 PID 4716 wrote to memory of 4508 4716 st217114.exe 84 PID 4716 wrote to memory of 3652 4716 st217114.exe 96 PID 4716 wrote to memory of 3652 4716 st217114.exe 96 PID 4716 wrote to memory of 3652 4716 st217114.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe"C:\Users\Admin\AppData\Local\Temp\e12cebf99ff536231ee015e3aebe854d3b37426ba944f3947c76bd37fcb770ef.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st217114.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st217114.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74630165.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74630165.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp109025.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp109025.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD5072ef5d417711198df6a3541ae1e7384
SHA1bd9decabaee327358b449a9a5b5f4e32f809c0d0
SHA25637d903ce9c99f71bc5d43d1b9c9748acf6acdf94e59bce2aaf90fd2f9ae8ce1f
SHA5129bec7ada0f92c0fa349297d3369e1136df157acbcdfc9166d315ebc817a9341435f3fc15182f8021454546ccb322c138aedecad65bd23a88d90b3f4c4b2d7980
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
460KB
MD5647df8831099a8f0bfc8b3a1a4060ab1
SHA1b93726bec7ccb6bf3bcd155dc03fa31ada531b99
SHA256efe096274b02d67e98c9b2f289e006f3649780a33a2204ed2eb87208bf6b56d9
SHA5120801363bcb94b9fcbf481d0fffe3c965b4236ca4216d746f7eb9d6a748d137db0519082b4badbc46d2d4ea1017125a9bf1a8b89edde717a4d06e87ba932f53db