Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe
Resource
win10v2004-20241007-en
General
-
Target
0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe
-
Size
1.5MB
-
MD5
0057d24fb397126fb1f15370ec1da35f
-
SHA1
97a82b5bac9d2a8c4e7960297fb11e04c724e43d
-
SHA256
0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d
-
SHA512
a69649ac5d199d71c5f9fd8d3c6378df6aa5af1249afcebaeea72a45d6d41ff217df9d786beed48788ffb9609e6d9f41e04918410a174b4f854018ebe122624a
-
SSDEEP
24576:tySllzVNEwZofP+D9UfTgIFYqiQUgCxJ6QiDAfq95gPRlnphg4Z:I4hXEdP+yiVgBDrTgTnphg4
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3944-36-0x0000000002600000-0x000000000261A000-memory.dmp healer behavioral1/memory/3944-38-0x0000000004CA0000-0x0000000004CB8000-memory.dmp healer behavioral1/memory/3944-62-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-66-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-64-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-60-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-58-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-56-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-52-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-50-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-46-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-44-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-42-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-40-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-39-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-55-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/3944-48-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a4053357.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4053357.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4053357.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4053357.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4053357.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4053357.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c7f-71.dat family_redline behavioral1/memory/4548-73-0x0000000000200000-0x0000000000230000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 404 v1542791.exe 1328 v9374982.exe 2252 v9874677.exe 4112 v0446685.exe 3944 a4053357.exe 4548 b7141076.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a4053357.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a4053357.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1542791.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9374982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9874677.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v0446685.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4372 3944 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0446685.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4053357.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7141076.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1542791.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9374982.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9874677.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3944 a4053357.exe 3944 a4053357.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3944 a4053357.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4524 wrote to memory of 404 4524 0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe 86 PID 4524 wrote to memory of 404 4524 0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe 86 PID 4524 wrote to memory of 404 4524 0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe 86 PID 404 wrote to memory of 1328 404 v1542791.exe 87 PID 404 wrote to memory of 1328 404 v1542791.exe 87 PID 404 wrote to memory of 1328 404 v1542791.exe 87 PID 1328 wrote to memory of 2252 1328 v9374982.exe 88 PID 1328 wrote to memory of 2252 1328 v9374982.exe 88 PID 1328 wrote to memory of 2252 1328 v9374982.exe 88 PID 2252 wrote to memory of 4112 2252 v9874677.exe 89 PID 2252 wrote to memory of 4112 2252 v9874677.exe 89 PID 2252 wrote to memory of 4112 2252 v9874677.exe 89 PID 4112 wrote to memory of 3944 4112 v0446685.exe 90 PID 4112 wrote to memory of 3944 4112 v0446685.exe 90 PID 4112 wrote to memory of 3944 4112 v0446685.exe 90 PID 4112 wrote to memory of 4548 4112 v0446685.exe 99 PID 4112 wrote to memory of 4548 4112 v0446685.exe 99 PID 4112 wrote to memory of 4548 4112 v0446685.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe"C:\Users\Admin\AppData\Local\Temp\0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1542791.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1542791.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9374982.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9374982.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9874677.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9874677.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0446685.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0446685.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4053357.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4053357.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 10807⤵
- Program crash
PID:4372
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7141076.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7141076.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3944 -ip 39441⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5542c77f8f8ecfd4980aa52a415ddd678
SHA13e82c002a8e664775b50a2609a7b6e487ea2ba13
SHA256abb814b8f29704a6f38686b52ee33ee7d96d4f889c3dc651988bc67830b614f3
SHA512874cec90e7658dc573683f7d6d66feda78a0b5a18fe201081da90994a83fa0ff0772137522ea5bbd5183500630562d2f1d2e78de34398208718135f3986cc7d7
-
Filesize
915KB
MD5d14f54e9bc8fcc9bac5935c89ad17438
SHA1a2d42260b17a3783ebb624405200cff261622c59
SHA25656aea291f42d33785ee44287550c90b0bc8a212539f83ab6a1c1fc1081479a5d
SHA512a7316d6af98e71001b702f28cf5a482e9c1eb9c8c8dc24c96fb05263cf34775d6750cca2350a4843154af6a11bb0e69f99d222c11d0771535a0c7d0a9da25fad
-
Filesize
711KB
MD55e912311eec5659d4ecb25b1e5f42bcc
SHA13d292de69e9f1c326240a83db5816dd3b8259640
SHA2563d23af778685f4f51756291243ad3a505f20b6ddfb22f24c600a0963457d870e
SHA512367a35272f387679ff8a2233d8d96a3f99bcdc7df547fca4b609c0d82669ce56176f41a90da3199b94cd1341d0a6add43034e0ad259fdf5727d4deea92bab0d3
-
Filesize
416KB
MD59418965cc58c075c2ee7a9b4b6ac26f8
SHA153cb0348101de4dbfa3748f1e96742da3b193ad3
SHA25609f91b48625b1b6a34a8901fd0070aa0dce6e612a491dfb05fd6f9cc3852dee0
SHA512f770cfee1e6d2bf3d83f2b1fd5d34076b80d11f90435a3e20ed1a48dc1b315a8833999c44d84dafc467591f46c9565d68f9189272b87d0f732c05b8a973db8de
-
Filesize
360KB
MD52db3571f8f5ab6c40e2e408a132ff4ed
SHA198a5ab1ea901d6a563c492707adead8697723ab1
SHA25628171f5a8e1cfe1d0be5a2ffba3f2cef95b2a47745fd451fddc8e0cfb7afcec7
SHA512cfc2a1651beec13f8cc902334960edc647bcdbbce94ef16c89210aa056cbafb6ce1a8782afb2bae3ab5792e8ff653cd8fe500bb0bd3f53ac34df40a87250d906
-
Filesize
168KB
MD59b37e586288ad465590a3dd45e5fdba8
SHA17c79e216454214785233d4bfa9ca3f9f83daab41
SHA2564eaf27fff15684f5502a8f3b2dd98a43dd807bff4c6e28e414401359b5c31bbf
SHA512cdf95b62f51e9ec2ff35eda0664a6c2c158a7956ad88069eee79750ae570041cc67e1356a92890ed499fd80b3433fef3cf41e0521fa3d843b17f967a50f348f6