Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe
Resource
win10v2004-20241007-en
General
-
Target
e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe
-
Size
540KB
-
MD5
48c6620de79cd851cc393bde8899d6ce
-
SHA1
ef6484bf3de20010b48715a4a0e463120cee671d
-
SHA256
e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee
-
SHA512
c2539e4e91dc4cc90cf9d1da8e57ec25e318f74b7e9b35fcbd69d55368b7461a57543c1bf7d29fe8681a7a9a38f9931212880ebf452e0f29e771a3f71cd1aaca
-
SSDEEP
12288:dy9073jPpoeWbgJWx83Wl/gS0vqqTPT7DjWazx8Bne97:dyK7poeWbDKWl/QjvRqRe97
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2848-11-0x0000000004BD0000-0x0000000004BEA000-memory.dmp healer behavioral1/memory/2848-13-0x0000000007150000-0x0000000007168000-memory.dmp healer behavioral1/memory/2848-42-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-40-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-38-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-36-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-34-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-32-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-30-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-28-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-26-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-24-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-22-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-20-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-18-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-16-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/2848-15-0x0000000007150000-0x0000000007162000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr058155.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr058155.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr058155.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr058155.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr058155.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr058155.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4652-55-0x00000000049E0000-0x0000000004A1C000-memory.dmp family_redline behavioral1/memory/4652-56-0x0000000004C30000-0x0000000004C6A000-memory.dmp family_redline behavioral1/memory/4652-60-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-58-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-57-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-76-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-90-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-88-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-86-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-82-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-80-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-79-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-74-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-72-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-70-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-68-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-66-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-64-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-62-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/4652-84-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2848 pr058155.exe 4652 qu846709.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr058155.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr058155.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1092 2848 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr058155.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu846709.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2848 pr058155.exe 2848 pr058155.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2848 pr058155.exe Token: SeDebugPrivilege 4652 qu846709.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3832 wrote to memory of 2848 3832 e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe 83 PID 3832 wrote to memory of 2848 3832 e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe 83 PID 3832 wrote to memory of 2848 3832 e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe 83 PID 3832 wrote to memory of 4652 3832 e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe 97 PID 3832 wrote to memory of 4652 3832 e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe 97 PID 3832 wrote to memory of 4652 3832 e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe"C:\Users\Admin\AppData\Local\Temp\e2d5ffe18f3551e3b69d056918bc8b4ad29eac1788cdb70c93acf1f923938dee.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr058155.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr058155.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 10843⤵
- Program crash
PID:1092
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu846709.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu846709.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2848 -ip 28481⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278KB
MD542acb4365780d3c9ea5f4c4a8977d3c2
SHA17cc4f87a898700078fc11a39b28486a05f85cc76
SHA256530b99d6f66bacf24d468e56d5c208252478fde3d46a2acd8d2c1fca8a5d9d63
SHA512b93e75b74321cbf0312886d8120e910b7f7d0d333f34c47d1d6de082a79c50dbafad9a3008dfcca976cc41f21d7ab3d310de7baefffcb4784efe6ba6ceecf4cb
-
Filesize
361KB
MD5297bcb8660bb24171025d73ae9e9b30b
SHA132f2c0e718a465a21097535172dbcc4d5af6383f
SHA25662305f3ff5ec34b2077ec23d14253a89de49a8e3a21acf1b5a2e79c9f25c08d6
SHA51217862e21fb7a72c914f12778745a527fb8301edff63cef878f78e3b8b8c79e386d424ed79937a059d2ed70d9578fe6c28b36b6f2b7f218aaec7146317479cb8b