Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe
Resource
win10v2004-20241007-en
General
-
Target
e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe
-
Size
690KB
-
MD5
82a2197f0d0d06f2ab360e93ba9bfe48
-
SHA1
0167e5375beed3137d43c471cc2f25d955ebd8f3
-
SHA256
e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316
-
SHA512
ce9feded8c19d1ad219f4076289c68266bcae59acd55c08de6176b090311a256fa4a8cd1d68f445251e81cfb0663793587f84cf1c82dfcb4ab1108b7eacd7f90
-
SSDEEP
12288:Xy90Rd8Lp85MmT0MVXDhPEpOY+d7eNOuJOKw3ls2VBaFl6Cie0+oJHhHnR7:XyM285loMfPKSdVLKWy2YJil+othx7
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4960-19-0x0000000002240000-0x000000000225A000-memory.dmp healer behavioral1/memory/4960-21-0x00000000023F0000-0x0000000002408000-memory.dmp healer behavioral1/memory/4960-29-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-22-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-45-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-47-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-43-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-41-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-49-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-39-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-37-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-35-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-33-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-31-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-27-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-25-0x00000000023F0000-0x0000000002403000-memory.dmp healer behavioral1/memory/4960-23-0x00000000023F0000-0x0000000002403000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 72842346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 72842346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 72842346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 72842346.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 72842346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 72842346.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3724-60-0x00000000023D0000-0x000000000240C000-memory.dmp family_redline behavioral1/memory/3724-61-0x0000000004A70000-0x0000000004AAA000-memory.dmp family_redline behavioral1/memory/3724-75-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-65-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-63-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-62-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-81-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-95-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-93-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-91-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-89-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-87-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-85-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-79-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-77-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-73-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-71-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-70-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-67-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline behavioral1/memory/3724-84-0x0000000004A70000-0x0000000004AA5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2252 un724550.exe 4960 72842346.exe 3724 rk552166.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 72842346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 72842346.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un724550.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2904 4960 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un724550.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72842346.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk552166.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4960 72842346.exe 4960 72842346.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4960 72842346.exe Token: SeDebugPrivilege 3724 rk552166.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2252 1244 e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe 83 PID 1244 wrote to memory of 2252 1244 e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe 83 PID 1244 wrote to memory of 2252 1244 e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe 83 PID 2252 wrote to memory of 4960 2252 un724550.exe 85 PID 2252 wrote to memory of 4960 2252 un724550.exe 85 PID 2252 wrote to memory of 4960 2252 un724550.exe 85 PID 2252 wrote to memory of 3724 2252 un724550.exe 101 PID 2252 wrote to memory of 3724 2252 un724550.exe 101 PID 2252 wrote to memory of 3724 2252 un724550.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe"C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 10804⤵
- Program crash
PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4960 -ip 49601⤵PID:4416
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD5018cefdbba06d41255b22223948162a6
SHA101db8921bdc61d9bbe407c07d820256ce92d0eab
SHA2561065a89558485850beb9a249fbbf481702d695ff52b08171a20c9c79bf6e5686
SHA5126278c7498d534fa90001ecb170599c016b741d0a6d46deef125879786c14f3141e22e5d27a56b47d1ad83853d849c282d21b77d2c7991aa8175f6e6f70693d28
-
Filesize
259KB
MD5a76f450660c6b5cdc05b90b866e64a1d
SHA1f141241f931e9111be349c8ecb196abf38fbdccf
SHA2565ba7b615ccca7d432ef9e5e2490628f2727ff93ae6d460b0f55af5d920dc05cb
SHA512193b03f06d7e468122523a7a692d7dc03c07ae4c306e0007b54956f5663deadbd209638da9f73737f3db35152edf04e25024d04a99d57e348e06a35a4f70122d
-
Filesize
341KB
MD5589b9e21d5cc76140af238a42f3211d5
SHA129388cf938d42ffd54f5b16d1c51b0475cdd03ba
SHA256648ad049626481b66f235a4fc5c5c9cac5b8b657b1d03a0ce074e945631861de
SHA51204e963d80786c456b9e0eccd0d8a64d79b3515bde6bda7c7bb60efdfbe3179d131f83835d8eff8960033cada882a8eac5df1423357e976f8ec4e40d4bccb8702