Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe
Resource
win10v2004-20241007-en
General
-
Target
c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe
-
Size
1.5MB
-
MD5
68e593e4dada3f0fc34fc8b9e2d9379a
-
SHA1
ee1b1858e8054afc2b7628e34f185b9ed2b592f7
-
SHA256
c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b
-
SHA512
5788cc5e9f5c2fa9a0a2061ed33bc8222795bd0f2ab9541605f255339462dbfeb899decd1958be75e015ac400aeda54da2843c8e0122e174bdd72672f6c1d409
-
SSDEEP
24576:SykDSg4piChMmMCb2CqR57p5WbPmUKupDfR22uSjks2wKrKHtwJK:5kv4dNM2lqz7pV4R22uSjL2vyo
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4396-36-0x00000000024E0000-0x00000000024FA000-memory.dmp healer behavioral1/memory/4396-38-0x0000000002790000-0x00000000027A8000-memory.dmp healer behavioral1/memory/4396-42-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-48-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-64-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-62-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-60-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-59-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-56-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-54-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-52-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-50-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-46-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-44-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-66-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-39-0x0000000002790000-0x00000000027A2000-memory.dmp healer behavioral1/memory/4396-40-0x0000000002790000-0x00000000027A2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9015258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9015258.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a9015258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9015258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9015258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9015258.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c6d-71.dat family_redline behavioral1/memory/4796-73-0x0000000000AF0000-0x0000000000B20000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 3136 v3663892.exe 1708 v7239244.exe 4708 v9677373.exe 2944 v5653127.exe 4396 a9015258.exe 4796 b8967198.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a9015258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a9015258.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v5653127.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3663892.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7239244.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9677373.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 676 4396 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3663892.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7239244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9677373.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v5653127.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9015258.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8967198.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4396 a9015258.exe 4396 a9015258.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4396 a9015258.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1020 wrote to memory of 3136 1020 c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe 85 PID 1020 wrote to memory of 3136 1020 c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe 85 PID 1020 wrote to memory of 3136 1020 c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe 85 PID 3136 wrote to memory of 1708 3136 v3663892.exe 86 PID 3136 wrote to memory of 1708 3136 v3663892.exe 86 PID 3136 wrote to memory of 1708 3136 v3663892.exe 86 PID 1708 wrote to memory of 4708 1708 v7239244.exe 87 PID 1708 wrote to memory of 4708 1708 v7239244.exe 87 PID 1708 wrote to memory of 4708 1708 v7239244.exe 87 PID 4708 wrote to memory of 2944 4708 v9677373.exe 89 PID 4708 wrote to memory of 2944 4708 v9677373.exe 89 PID 4708 wrote to memory of 2944 4708 v9677373.exe 89 PID 2944 wrote to memory of 4396 2944 v5653127.exe 90 PID 2944 wrote to memory of 4396 2944 v5653127.exe 90 PID 2944 wrote to memory of 4396 2944 v5653127.exe 90 PID 2944 wrote to memory of 4796 2944 v5653127.exe 98 PID 2944 wrote to memory of 4796 2944 v5653127.exe 98 PID 2944 wrote to memory of 4796 2944 v5653127.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe"C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 10887⤵
- Program crash
PID:676
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4796
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4396 -ip 43961⤵PID:3516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD57d5c6eeb67777c246fb4b86e1a403336
SHA1f998a4706f127dd2ab2caf1d90cd35e0c88ea108
SHA2563f833e1f58b77d4c6f85309706469514c6e398d12783dd0f89bc172c75b2b4d1
SHA5129d03e49de6f14aea44321467b0a5b9ace42a59ef011eb0807240bf797af1678fc21e2821a7e22bec4498dfecb6ddbb7ad508f1aa984d6c60c67da3eb8ccf86fe
-
Filesize
912KB
MD5dc11587d04dcdebaa64ebe50f3aba6b4
SHA18ba53d2e8f23fe067aca320e7d639791a79a286c
SHA2569bd2d6992dac5fb3184332efea0a309a79df29163e426a37d635101530094184
SHA512735d676ba6fc996677714de881e5f0df0ce118bde2584df329fbb32b0c81d26cbaa52d2ef8d131dc25dea3ef6e71f5c730c50ce119a897dcaa9a37569a7bd302
-
Filesize
707KB
MD5cecdc554ff195e2383acf4df8da404cc
SHA131a897b61c8fea673da1b8cb3c3f5ed3b5378fcc
SHA256e51ffee075d544dc28f798f968f8f415b5c881d2a792d5529c863f3e73886744
SHA512308529c6f7b0c2ecf8eda2d4e208a7679f5f3cb02c951327e1ce9f3b0f660430fc26724625887e0af5d86fa48b4eb1a9079ba29f31a58fc5aa3552ebc0e6475e
-
Filesize
416KB
MD5df795b4430191b628541437ecb92e144
SHA1c5b978054b646ceaef170530b7a915fc85470aa2
SHA256ec9143a1499660c53b1456a5971928e21798faedb760aa184dc14b357630eb5c
SHA51231dfad3ff935829e12b962e766d322175f99aa4a7addcd17418087fb10cc7faa6fe0a54ae78c5a66cf966ab299bcf1f5ecda0b9e4f6c602d2908411b721c8e39
-
Filesize
360KB
MD522f1b3c9ae47dd2d1b1f758000e20063
SHA149b249376f77ef2f9b426f7b20dc69c5f0755505
SHA256d8ae2f70a80affba24c38f225775055d0e19cb0b998595c56cf77baee3af8ce5
SHA5124be279f5a3db5d4aa3c44492bb798d17b469d89a9f920dddd87853c4f64a4520af59c8ee9046e9f98a07c7583be2de1d4134263f1fbea4db4ca4b7e793ea690e
-
Filesize
168KB
MD58a300f51018b0b635df40751a4f37293
SHA1d55621636ec7778f1669b2c0afd14497385361aa
SHA256e4365d94646b676bbbcb23bce7f68a255d7ef1d5c81afee6795b51c1ffcc2ab2
SHA51231eaba93dcfd370e8ddb4a71fd2b2cf09e0d2bbd2c354b68797dccf04fef36a9ec3c1308c25ee1034e59a69393d7b996af9c43690ba9face3dd14f2db8586617