Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:52
Static task
static1
Behavioral task
behavioral1
Sample
cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe
Resource
win10v2004-20241007-en
General
-
Target
cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe
-
Size
1.5MB
-
MD5
efb32cb1af34699197882642773e2208
-
SHA1
da070dc6aeea58fd4962e9ec5fb29b175d2a9f73
-
SHA256
cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2
-
SHA512
c51986dac3500caf71ecfb2ed3dfdb9c1a6fadd36ce005c0ceb4771f7b560b215febb85baabacadb0bc6e3ecc3c37f4b646dacca847d7f87e1945d4da6445dd0
-
SSDEEP
49152:WBw5ngaFTQe0XE/sziMo2XOcEKRrH8IH:GKnFV/0QszpXO+xH8IH
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4688-36-0x00000000025E0000-0x00000000025FA000-memory.dmp healer behavioral1/memory/4688-38-0x0000000002840000-0x0000000002858000-memory.dmp healer behavioral1/memory/4688-39-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-48-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-66-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-65-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-62-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-61-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-58-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-56-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-54-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-52-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-50-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-46-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-44-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-42-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/4688-40-0x0000000002840000-0x0000000002852000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a2053324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2053324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2053324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2053324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2053324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2053324.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c7f-71.dat family_redline behavioral1/memory/4088-73-0x0000000000AD0000-0x0000000000B00000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 3812 v7996420.exe 116 v1920891.exe 1248 v1852748.exe 4884 v8449676.exe 4688 a2053324.exe 4088 b5632318.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a2053324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a2053324.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v1852748.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v8449676.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7996420.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1920891.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 264 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1744 4688 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1852748.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v8449676.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2053324.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5632318.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7996420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1920891.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4688 a2053324.exe 4688 a2053324.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4688 a2053324.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5020 wrote to memory of 3812 5020 cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe 86 PID 5020 wrote to memory of 3812 5020 cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe 86 PID 5020 wrote to memory of 3812 5020 cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe 86 PID 3812 wrote to memory of 116 3812 v7996420.exe 87 PID 3812 wrote to memory of 116 3812 v7996420.exe 87 PID 3812 wrote to memory of 116 3812 v7996420.exe 87 PID 116 wrote to memory of 1248 116 v1920891.exe 88 PID 116 wrote to memory of 1248 116 v1920891.exe 88 PID 116 wrote to memory of 1248 116 v1920891.exe 88 PID 1248 wrote to memory of 4884 1248 v1852748.exe 89 PID 1248 wrote to memory of 4884 1248 v1852748.exe 89 PID 1248 wrote to memory of 4884 1248 v1852748.exe 89 PID 4884 wrote to memory of 4688 4884 v8449676.exe 91 PID 4884 wrote to memory of 4688 4884 v8449676.exe 91 PID 4884 wrote to memory of 4688 4884 v8449676.exe 91 PID 4884 wrote to memory of 4088 4884 v8449676.exe 100 PID 4884 wrote to memory of 4088 4884 v8449676.exe 100 PID 4884 wrote to memory of 4088 4884 v8449676.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe"C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 10807⤵
- Program crash
PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4088
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4688 -ip 46881⤵PID:2652
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:264
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5afd471a223b1be6a4f63a346366b6fef
SHA1def8e2018175b50a2951161b903b39e81740eb3a
SHA256a96f7ff06303060c18eaf292009eab4eb6267dddd526c658fe1978995d1802ac
SHA512913f7ace08b6377c3d2e12e28e809bb606a075f609b3873a6dad2158141ed6c9ebaf22116e3912c08a7a87ea8fa52f31c7a648e42482e464161b98cdce51e475
-
Filesize
915KB
MD592567c9c6dd81a243337ffc0a9ffbb03
SHA12412281d831b604e1ef69af345d7209e58a4973c
SHA256705b88d852aae8e0ae8d25bf05f8c7bdff32ddc3e4b6ca08bea75bdf10d76650
SHA5129e02666362e1ccbcb4888eb5fe88a2a4197b573cdb86894381bdb9eeab978eede5ad6da269e46ae1588f300f40e90579d2dbc3934730cfc1e5cf43aada301a9f
-
Filesize
711KB
MD5abbfac920ff5dbf10cb0e31f89cc4e3a
SHA18f40935bd5b61e16e0d98230d52ac283513bcb97
SHA2563647d552a5d67bb59020ebea4cb90ba154366535c65d7b4933daa07bfd55e9f1
SHA512c0f4ebb1d211f8e5ca511b8363051efb58349f7c74f8af54b3d8d57c901dcfc2dcef3f6c9d45eb6bbffcac91730cfa5255d35f9aee2ebf0edebf9b7c93619695
-
Filesize
415KB
MD5ba0bbe1fdfc2d8cd8b28b24e7534f1dd
SHA1c6b69d26401a222ae6dc90feb18d007af63b3cdf
SHA256e989b4d959cd759ac56db8b61c9eae32bf5ceb606c557b5d97c97eeace2456ff
SHA512dacb520864b44e24b35e82e81cf87165a5efb38c5ffdfaee53fd6b29821bfb62b396dd5bdecc0d09af6661c8f570adbb78c8b58ddd93ffd150d49f84ea3ad509
-
Filesize
360KB
MD589159e7e722c0bd8698dd5247e2c45b5
SHA184404e8836c0bbac5dcecf5a26ed6198c0c35b5b
SHA2566cc811b9a271fc60ef69be0c2b23500e9a3c735d02836417173204416fe26a5e
SHA512a5291bb0e033b2ad8df73b8242d16cf2cd71c15af1154f0830793f925475ca9731b2dec8455696ce19f3853623790b2ba1f3b2ee8ff73787d12bbcb3f5fb03bd
-
Filesize
168KB
MD5f26f7b379e9387116773223a40595ffa
SHA1521c6c00df3625cfdf1f4a1bd6441f47ffba5cf4
SHA25686670decab8f619fb3f382f88fbb18f02755d1f529126aa92e23fd8637804254
SHA5120c250b40be0ac938e55b3f8208f1edab8a802f16e55144918520a19a77829efee39ac06f6767bdc11d7923a1be5b61fc41e0c05618c252c9a9c929a12f8e4a09