Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe
Resource
win10v2004-20241007-en
General
-
Target
eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe
-
Size
1.1MB
-
MD5
59a886310f4f04a8a16823a44ae312b8
-
SHA1
a1cd16e2a73bfb012f362b54646290baa0b45433
-
SHA256
eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79
-
SHA512
abb8417ab077669cccbdab6b80501364badda045e2131f391789c3a5b95ee324ea087a2c58f5edebc4d6911e85259a8cc99f29cf43462d4556ba10aaa4148738
-
SSDEEP
24576:vyxs2JzUOdpymHriVBG3cZeWC/03bCEoodlIRivbnNDlBQ:6xs2lDdpLHriDZdC+bCEFl8ivbnNDlB
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4412-23-0x0000000002530000-0x000000000254A000-memory.dmp healer behavioral1/memory/4412-25-0x00000000054C0000-0x00000000054D8000-memory.dmp healer behavioral1/memory/4412-31-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-53-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-51-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-49-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-47-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-45-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-43-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-41-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-39-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-37-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-35-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-33-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-27-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-26-0x00000000054C0000-0x00000000054D2000-memory.dmp healer behavioral1/memory/4412-30-0x00000000054C0000-0x00000000054D2000-memory.dmp healer -
Healer family
-
Processes:
pr281587.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr281587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr281587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr281587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr281587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr281587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr281587.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4772-62-0x00000000027E0000-0x000000000281C000-memory.dmp family_redline behavioral1/memory/4772-63-0x00000000028E0000-0x000000000291A000-memory.dmp family_redline behavioral1/memory/4772-64-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-79-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-97-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-95-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-93-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-91-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-89-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-87-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-85-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-83-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-81-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-77-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-75-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-73-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-71-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-69-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-67-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline behavioral1/memory/4772-65-0x00000000028E0000-0x0000000002915000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
un323573.exeun949523.exepr281587.exequ232291.exepid Process 4568 un323573.exe 2984 un949523.exe 4412 pr281587.exe 4772 qu232291.exe -
Processes:
pr281587.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr281587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr281587.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exeun323573.exeun949523.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un323573.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un949523.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2860 4412 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exeun323573.exeun949523.exepr281587.exequ232291.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un323573.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un949523.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr281587.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu232291.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr281587.exepid Process 4412 pr281587.exe 4412 pr281587.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr281587.exequ232291.exedescription pid Process Token: SeDebugPrivilege 4412 pr281587.exe Token: SeDebugPrivilege 4772 qu232291.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exeun323573.exeun949523.exedescription pid Process procid_target PID 4324 wrote to memory of 4568 4324 eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe 83 PID 4324 wrote to memory of 4568 4324 eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe 83 PID 4324 wrote to memory of 4568 4324 eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe 83 PID 4568 wrote to memory of 2984 4568 un323573.exe 84 PID 4568 wrote to memory of 2984 4568 un323573.exe 84 PID 4568 wrote to memory of 2984 4568 un323573.exe 84 PID 2984 wrote to memory of 4412 2984 un949523.exe 85 PID 2984 wrote to memory of 4412 2984 un949523.exe 85 PID 2984 wrote to memory of 4412 2984 un949523.exe 85 PID 2984 wrote to memory of 4772 2984 un949523.exe 96 PID 2984 wrote to memory of 4772 2984 un949523.exe 96 PID 2984 wrote to memory of 4772 2984 un949523.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe"C:\Users\Admin\AppData\Local\Temp\eb39ba213c4cb0675de064d9d9f227acea0b72c577b3080da10d10b1a392eb79.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un323573.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un323573.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un949523.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un949523.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr281587.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr281587.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 11005⤵
- Program crash
PID:2860
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232291.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232291.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4412 -ip 44121⤵PID:4824
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD574a1ee5b23695210a277ff12794ef5d8
SHA19cd5fde9384fe21ed8425d886c63137757583883
SHA256e859578d7e0d27714bb697f0ba31428be00219d26acfcd3690dc1890b6130932
SHA5128e7f3abdc78f7b68ecdf1deb52033bbd5de1859fd2ffb1143e2cff079e283e11c379877f3b913788ba411f0902d1b8ddc368ae540b82c06e54a96da407b6cdd6
-
Filesize
609KB
MD5826ad380413a11d16cfe5adc3b7e1d1b
SHA132f59be87636398824261052292553dc66df877c
SHA2569ff86e2fa203afb64379ae873252de2a21ec376c6fb959aea66e14b2633f4849
SHA5122e9bc80500a04120d0f7b2ca9c673909b76ccb53085b7a93224838de48e0e5994664314db2df9ea9f880f06b80f046295828338dd5419080661b2017db8cb3c0
-
Filesize
406KB
MD594118e0267766a75ceae3e1d221d60e6
SHA17861f1cfd1b38adac15b86c6a39bb241ce6456e4
SHA2569608a9cac0cd5218bb4a6e4371b2bc1c1aff1a5b19afcc6ed19a000eea8fff56
SHA5125769e4ffd7240fe2f75034b736d6ec6aee935ce0ab9db3cc54fd2c3735448e69cdc75cc7ed1632a4b136a2db4d2e3eee5e0c9ffa3a1af49388257a44a33b39d9
-
Filesize
487KB
MD51d03672d249a2318f3b8a462ce3e1eec
SHA1e3fc945cfb73d34775271d8b4feb020fb3059ac8
SHA25638de64906aa39be758984067753915bb4fe7d7a449c0e0bcd3f6209652d9e17a
SHA51217d3f152f2238baf2c271c665fe8977dea8f761073840911ed0846bf6cc17bef74d2da78a7c415a05d19f1304bfa311d17356f3628442edb792c7c9ae7e017b0