Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe
Resource
win10v2004-20241007-en
General
-
Target
ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe
-
Size
690KB
-
MD5
95d6bd9db91e5a888f096857155e04e3
-
SHA1
5d0628e45f71f1c0f30c5274eb67b97eed94045a
-
SHA256
ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2
-
SHA512
ee594767991063e81e4e4f42d80ed7868a67ae1a13d8e433bfb10fc9df87bd8a42115c318caae6f2fc9269165d3f9fc2875d153e15312c0f07f0733bdc63b19b
-
SSDEEP
12288:fy90rBazQF1SOM2hbDgVuXsIc/JxDnHcW9IN6Lmo:fykUEF1rMsslxDnHR9INJo
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1772-19-0x0000000002510000-0x000000000252A000-memory.dmp healer behavioral1/memory/1772-21-0x0000000002650000-0x0000000002668000-memory.dmp healer behavioral1/memory/1772-39-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-49-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-47-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-46-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-43-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-41-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-37-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-36-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-33-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-31-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-29-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-27-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-25-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-23-0x0000000002650000-0x0000000002663000-memory.dmp healer behavioral1/memory/1772-22-0x0000000002650000-0x0000000002663000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 01530059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 01530059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 01530059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 01530059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 01530059.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 01530059.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1532-60-0x0000000002430000-0x000000000246C000-memory.dmp family_redline behavioral1/memory/1532-61-0x0000000002610000-0x000000000264A000-memory.dmp family_redline behavioral1/memory/1532-67-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-79-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-95-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-93-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-91-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-89-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-87-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-83-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-81-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-78-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-75-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-73-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-71-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-69-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-85-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-65-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-63-0x0000000002610000-0x0000000002645000-memory.dmp family_redline behavioral1/memory/1532-62-0x0000000002610000-0x0000000002645000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2260 un791441.exe 1772 01530059.exe 1532 rk493197.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 01530059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 01530059.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un791441.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 524 1772 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk493197.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un791441.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01530059.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1772 01530059.exe 1772 01530059.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1772 01530059.exe Token: SeDebugPrivilege 1532 rk493197.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5060 wrote to memory of 2260 5060 ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe 84 PID 5060 wrote to memory of 2260 5060 ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe 84 PID 5060 wrote to memory of 2260 5060 ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe 84 PID 2260 wrote to memory of 1772 2260 un791441.exe 85 PID 2260 wrote to memory of 1772 2260 un791441.exe 85 PID 2260 wrote to memory of 1772 2260 un791441.exe 85 PID 2260 wrote to memory of 1532 2260 un791441.exe 98 PID 2260 wrote to memory of 1532 2260 un791441.exe 98 PID 2260 wrote to memory of 1532 2260 un791441.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe"C:\Users\Admin\AppData\Local\Temp\ede8488613c6627f6282e604ff461dc26a033631d00e42f3a51b588e16351da2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un791441.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un791441.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01530059.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01530059.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 10804⤵
- Program crash
PID:524
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk493197.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk493197.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1772 -ip 17721⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD51e8942042f4e3c88c6dc50c5438c4831
SHA1f181724f534026834172dad3244b3e2dc2323ab3
SHA256c774a7674888fbabc046951d4e9dd431443d04fbafa2c115f2bf60870e24fbbd
SHA5127c8a220f8c60855d4e546d897173319aff3227313699f8c8420bed5b837f6859ca33d98af95e9a424fb86f4a238e57a39b75460a7a12746d4d03a5eb46f3b596
-
Filesize
259KB
MD592b8e90be09de7712112a2d14f2bc111
SHA1e3a3382fe29e90e089e8674c09c6d59d29d53c34
SHA256c6f46f4b312e8dd28bd8b1c1d19a2ea5609870937af155355cd3d0c0f0b8e0f4
SHA512b10e6183313fdf75436fa2d73c178ca450b677f20eaa8aeb48a7c936583de969af15735c85c895b3b51db9400180288c6b2f13e66e1ae863f76b316c3585ba14
-
Filesize
342KB
MD56f32d7d68c46c3b404c54be39f577a1f
SHA1847f55260e22bee2b52e71fb8cc83583aeaff36f
SHA256d6a2d7b5cccb14651b0f4f26d46c881e016890a0505c860774e4757f79a1d30d
SHA512567caffdb24f19a3e7c2bbc0dd8f12b0644ca335a0323c40daa01defd74d0bf0c3e403d13d763c03f2e06ffa90b6f0fa11325c5c4722c767749d0d2daed49283