Analysis
-
max time kernel
113s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:47
Static task
static1
Behavioral task
behavioral1
Sample
1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe
Resource
win10v2004-20241007-en
General
-
Target
1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe
-
Size
550KB
-
MD5
3ce4cd8174024e94d1d8758ba9c2e8e0
-
SHA1
a1256c4bce41f864ca9b64173d7d3940d7d2a2c9
-
SHA256
1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046c
-
SHA512
257f0d3e46bc070fc8a8541bf07a6f08b33f502738c8d63b9b8c014f1912a61c6f31274b9fe737ba68a41d18b61a44c7396f9bb0f3d31f91686a0ef339fe4187
-
SSDEEP
12288:2y90TOSJ8bi0IRzkGnHY/U+0ebzm9gJfCSdn:2y6LEijLcU+7zm9gJfC0
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2632-11-0x0000000004BF0000-0x0000000004C0A000-memory.dmp healer behavioral1/memory/2632-13-0x0000000004D80000-0x0000000004D98000-memory.dmp healer behavioral1/memory/2632-23-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-41-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-39-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-37-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-36-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-33-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-32-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-29-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-27-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-25-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-15-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-14-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-21-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-19-0x0000000004D80000-0x0000000004D92000-memory.dmp healer behavioral1/memory/2632-17-0x0000000004D80000-0x0000000004D92000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr150953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr150953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr150953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr150953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr150953.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr150953.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1348-54-0x0000000004D10000-0x0000000004D4C000-memory.dmp family_redline behavioral1/memory/1348-55-0x00000000077E0000-0x000000000781A000-memory.dmp family_redline behavioral1/memory/1348-89-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-87-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-85-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-83-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-81-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-79-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-77-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-75-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-73-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-71-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-69-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-67-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-65-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-63-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-61-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-59-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-57-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline behavioral1/memory/1348-56-0x00000000077E0000-0x0000000007815000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2632 pr150953.exe 1348 qu312211.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr150953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr150953.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4900 2632 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr150953.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu312211.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2632 pr150953.exe 2632 pr150953.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2632 pr150953.exe Token: SeDebugPrivilege 1348 qu312211.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2632 2168 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe 83 PID 2168 wrote to memory of 2632 2168 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe 83 PID 2168 wrote to memory of 2632 2168 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe 83 PID 2168 wrote to memory of 1348 2168 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe 90 PID 2168 wrote to memory of 1348 2168 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe 90 PID 2168 wrote to memory of 1348 2168 1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe"C:\Users\Admin\AppData\Local\Temp\1e92413f7cbc744b79291acd619f4124d4a74b15eedad4e1dfb29910e27e046cN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr150953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr150953.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 11003⤵
- Program crash
PID:4900
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu312211.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu312211.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2632 -ip 26321⤵PID:4976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD59efe15cd302bccb28fb1e7c8df71ade0
SHA1cbc8b829caadf6ed02542def696d1c78c15dd8a7
SHA2565e9da66df2c1a46f48577e76eaed661f997193474e92ecd8d42eebe73c02c350
SHA512c5f3595aa3acd5c8af0575d7c8caae6449871522d8905d99af9772948a95c31cea1c696ca831626f5ad3ff4ca334b2e8ff404fa9dc260c343fddba71bc782c66
-
Filesize
360KB
MD5f54e0e0c1242afc2966d0dcd7709b7d0
SHA1a6ad360b767901848bb6430d4540748f3103aa7a
SHA2563aae91d0d367136e2b885f382abf1302b8739928d43c700c71952d923344f577
SHA5122eb290d48e40adf1b996e9d294a7c0d4d8745916d96f4d4f4dae65ad435fd63f8894b09840a06835aa8bcfdb58f3fee691b20067a1c25ad8767470078015106a