Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:44
Static task
static1
Behavioral task
behavioral1
Sample
e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe
Resource
win10v2004-20241007-en
General
-
Target
e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe
-
Size
1.3MB
-
MD5
3f41e8c64be24d51ea59a71b68c3f34e
-
SHA1
8c34fc2728a8b6aa84e882cfecf94dc56f5a53c7
-
SHA256
e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88
-
SHA512
46a1589bf17c98def37ea1608710c355f5fa4703b17deab33b693bde6e2849486f72721602cbb49dcad51146a9357c08b8b7e36d2a21515eb8a1bd9a47c605a9
-
SSDEEP
24576:xyxrjwPMV7Q/VGaq+hmcip5ZJB8oAZD8R8K2YA4o/NDP9zUCUcn+RI6gF1ipxT7l:kxrjwtUESDJBCM8UA4G94nc+zBx/VL
Malware Config
Extracted
redline
maxbi
185.161.248.73:4164
-
auth_value
6aa7dba884fe45693dfa04c91440daef
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3644-29-0x0000000002860000-0x000000000287A000-memory.dmp healer behavioral1/memory/3644-31-0x0000000002900000-0x0000000002918000-memory.dmp healer behavioral1/memory/3644-32-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-59-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-57-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-55-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-53-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-51-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-49-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-48-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-45-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-43-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-41-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-39-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-37-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-35-0x0000000002900000-0x0000000002912000-memory.dmp healer behavioral1/memory/3644-33-0x0000000002900000-0x0000000002912000-memory.dmp healer -
Healer family
-
Processes:
a54781584.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a54781584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a54781584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a54781584.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a54781584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a54781584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a54781584.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000023c8e-64.dat family_redline behavioral1/memory/4792-66-0x0000000000480000-0x00000000004B0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
i23280505.exei17409163.exei81590031.exea54781584.exeb63534166.exepid Process 3392 i23280505.exe 2412 i17409163.exe 1616 i81590031.exe 3644 a54781584.exe 4792 b63534166.exe -
Processes:
a54781584.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a54781584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a54781584.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exei23280505.exei17409163.exei81590031.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i23280505.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i17409163.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i81590031.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1788 3644 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exei23280505.exei17409163.exei81590031.exea54781584.exeb63534166.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i23280505.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i17409163.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i81590031.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a54781584.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b63534166.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a54781584.exepid Process 3644 a54781584.exe 3644 a54781584.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a54781584.exedescription pid Process Token: SeDebugPrivilege 3644 a54781584.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exei23280505.exei17409163.exei81590031.exedescription pid Process procid_target PID 3184 wrote to memory of 3392 3184 e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe 85 PID 3184 wrote to memory of 3392 3184 e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe 85 PID 3184 wrote to memory of 3392 3184 e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe 85 PID 3392 wrote to memory of 2412 3392 i23280505.exe 86 PID 3392 wrote to memory of 2412 3392 i23280505.exe 86 PID 3392 wrote to memory of 2412 3392 i23280505.exe 86 PID 2412 wrote to memory of 1616 2412 i17409163.exe 87 PID 2412 wrote to memory of 1616 2412 i17409163.exe 87 PID 2412 wrote to memory of 1616 2412 i17409163.exe 87 PID 1616 wrote to memory of 3644 1616 i81590031.exe 88 PID 1616 wrote to memory of 3644 1616 i81590031.exe 88 PID 1616 wrote to memory of 3644 1616 i81590031.exe 88 PID 1616 wrote to memory of 4792 1616 i81590031.exe 101 PID 1616 wrote to memory of 4792 1616 i81590031.exe 101 PID 1616 wrote to memory of 4792 1616 i81590031.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe"C:\Users\Admin\AppData\Local\Temp\e630df7ff2f675e18b03743f0cf230fce95e02cdacb6bed5fec5190ab9c82d88.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23280505.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23280505.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17409163.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17409163.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81590031.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81590031.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a54781584.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a54781584.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 10846⤵
- Program crash
PID:1788
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b63534166.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b63534166.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3644 -ip 36441⤵PID:2160
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD55a61ae7c399da3ab3a2ac7bf1c88bebf
SHA1ede0746a109bda89e1bfb1a0b0f43d1e1ce6e1d3
SHA256a49189afff1dc4d3ce29c5d96b48100c988cacef8548a565c568b7069273c4b7
SHA512a371a89fca370f244ce5341843bc0cdf85a1df6759dee5aa5e737c8fcb9014a4cbd84f47c638177f7b4590f67c9ce2878c33aa5ae7731762612d1eb94370e59c
-
Filesize
684KB
MD52f9b37880023e0bd3bad7ac873fd64c2
SHA1b6586acd28bd1d49e8576a9a95209595f5f557e7
SHA256ef8e5b201988b4ebab2d15a536bfcbac133e79004b5f1f5e64e50fbfc2c71dc8
SHA5124c741c694f6afbabb9ca8c4a13b23ec746531daef464fa011556a8d68061b3b2628fc1bfab463f6d64d82193a32ce8dd2e205e67bae4b007d242602ca8e96868
-
Filesize
405KB
MD520382646f8516939e391a1e41c99a999
SHA15c084e80f1e34b204ffc3db3d7315053dc345f7e
SHA256e9890a85b01135139fcb6e102d5093c16ae6d9abaac1083f53f1be95b4ff7f31
SHA512b540530b85af37796ae52006c9a2ef3e8f138bee21643653b99592b98eabc754dff69708309c2986abbfc7e5c14e236d1476d081e08c3ab10f5a80b622534cf3
-
Filesize
345KB
MD53eccec0daf6d744bc41875121f0884a5
SHA1d506ba07af4b80fbfff6528a56916ded199b7ea0
SHA256b1cdb9f9fe49ba86b5c71376d8d6eabcf6d392afcf1b0b2407851f556e9f96c7
SHA51261d67bbef35b973528a2977b49ee9c672764b666c264e70ce99cece9c97b2035a936fb31683994654ba0d070b784149e47006d7dd1491b429b63c687b7c49f57
-
Filesize
168KB
MD51e7baab6cf3465475877fdaa5997a31d
SHA168b08ebffc113de630b5e66fb0eb5d4626ba0c2a
SHA2564a5ddff4325cb1a02041e20efa8fb3e480ebaecaad7be3b46adea3875fd37768
SHA512df244fd00b469b4daecc8e57b33f065ab3ad4fd24dfb22ba9555b03a65ad8608f7b414ca3d247e8c2257bf73fefb9b2732e2e587637e9e542389afae385619bf