Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe
Resource
win10v2004-20241007-en
General
-
Target
c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe
-
Size
966KB
-
MD5
adc417abf285395573bf8cdeb68c3dd2
-
SHA1
2a382c5fd41a4ba8ed78149cc2b75a78068ac6e1
-
SHA256
c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9
-
SHA512
41016fc862ffdeba40219fb561c60532e7f8a5213214fa7c9d2be518a71e6a2b8df3706dddbb2f2eac85c2e6c6006a56794de8e6ff20562f6dd181b7ab1ff626
-
SSDEEP
12288:sy90l52EO17cdeIIwGSuSfZZh/QaraOe968E0v8Zu5fZYsi4xumAa1bqzQsqvYu:syYVeIIwGNSRP/9rxV3upUFraWXu
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/312-22-0x00000000070B0000-0x00000000070CA000-memory.dmp healer behavioral1/memory/312-24-0x0000000007140000-0x0000000007158000-memory.dmp healer behavioral1/memory/312-48-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-52-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-50-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-46-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-44-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-42-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-40-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-38-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-36-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-34-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-30-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-28-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-26-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-32-0x0000000007140000-0x0000000007152000-memory.dmp healer behavioral1/memory/312-25-0x0000000007140000-0x0000000007152000-memory.dmp healer -
Healer family
-
Processes:
pr700414.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr700414.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr700414.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr700414.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr700414.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr700414.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr700414.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/968-60-0x0000000004920000-0x000000000495C000-memory.dmp family_redline behavioral1/memory/968-61-0x0000000004D70000-0x0000000004DAA000-memory.dmp family_redline behavioral1/memory/968-85-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-83-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-95-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-93-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-91-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-89-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-87-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-81-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-79-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-78-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-75-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-73-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-71-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-69-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-67-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-65-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-63-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline behavioral1/memory/968-62-0x0000000004D70000-0x0000000004DA5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
un298209.exeun359390.exepr700414.exequ073440.exepid process 3468 un298209.exe 2412 un359390.exe 312 pr700414.exe 968 qu073440.exe -
Processes:
pr700414.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr700414.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr700414.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exeun298209.exeun359390.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un298209.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un359390.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3632 312 WerFault.exe pr700414.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exeun298209.exeun359390.exepr700414.exequ073440.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un298209.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un359390.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr700414.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu073440.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr700414.exepid process 312 pr700414.exe 312 pr700414.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr700414.exequ073440.exedescription pid process Token: SeDebugPrivilege 312 pr700414.exe Token: SeDebugPrivilege 968 qu073440.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exeun298209.exeun359390.exedescription pid process target process PID 2240 wrote to memory of 3468 2240 c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe un298209.exe PID 2240 wrote to memory of 3468 2240 c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe un298209.exe PID 2240 wrote to memory of 3468 2240 c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe un298209.exe PID 3468 wrote to memory of 2412 3468 un298209.exe un359390.exe PID 3468 wrote to memory of 2412 3468 un298209.exe un359390.exe PID 3468 wrote to memory of 2412 3468 un298209.exe un359390.exe PID 2412 wrote to memory of 312 2412 un359390.exe pr700414.exe PID 2412 wrote to memory of 312 2412 un359390.exe pr700414.exe PID 2412 wrote to memory of 312 2412 un359390.exe pr700414.exe PID 2412 wrote to memory of 968 2412 un359390.exe qu073440.exe PID 2412 wrote to memory of 968 2412 un359390.exe qu073440.exe PID 2412 wrote to memory of 968 2412 un359390.exe qu073440.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe"C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 10885⤵
- Program crash
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 312 -ip 3121⤵PID:1512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
707KB
MD50c2a50e006c965503bd250157a7c911b
SHA14f0fd0d90f7a33ff2e91cafed6f489b2cce4c1e6
SHA2565bc52f8e0fbe341502f3ac01d5390b7392ae3bcba3bea894c7096be6e37a24a1
SHA5122d79917a35cc13d36954ef1d68697c106180adcfbb31c1069e78f9afda320503ff4ad6e7489c449c11c45399dad6e172699b58b0b794e016d5d396e6cae16a1b
-
Filesize
552KB
MD54d33ae5036db3f0ea68b61084aa7622c
SHA1e8f36791175476c867a1bfa006ce47034ac12428
SHA25600a71992e3b994561b380ddd8ccc2a78486ddfb68dd31b5235c397db22c43e2c
SHA51250fddd91c97f1fd9bc01dfbfd7188c089ee415f9e41e76bacd2185ed36dfb32f45fff9680cf87c1bbb672eaca6bb96309a3d1e69b7f3f4ec23661d501568bdd0
-
Filesize
279KB
MD5b2ae68cb129f8c6fb4baec6bfa058dc8
SHA1b188655665f1941600ce3d8854131860ba6f9fec
SHA256d7a4a1678067140e743d59ea4c8b877ad33235d1003f71d919d5572140cb057b
SHA51243d46afdaed48d6e01b93e947532b9cabb77b56f69530f0a730c8bcbdb06eac93fef4218213fe92014a3e1e6f65df5e42603558da70a8a45d01f5b105e1d1256
-
Filesize
362KB
MD5e54895536d3c1703e86471d28c25afbe
SHA18919d1253eab3c2c6e78a5f196d09d25aa87b727
SHA2569c88df00a1f4535a8195cb0dd905953742744564e0a67e8774691229911c9722
SHA512e974b800b5c87a806d23dd1858cb0d68f2a3e2127b3eaa2abd887ab9d6da7e96eadaa4e88e42ab676c1cbca3c847fbdfd6d63f039f008b0d8efd7781970c5cb3