Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe
Resource
win10v2004-20241007-en
General
-
Target
57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe
-
Size
1.5MB
-
MD5
b4ee23f6a230e80dfe5eaf3051e5ce4d
-
SHA1
dd99c89b60a8bf330412f3a1988fdf95be58eba3
-
SHA256
57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b
-
SHA512
e85851bde60c6587e1a65164eef7d4c71043afae28e6770e32582d4ec685eec1f79012f40a3284d75bb68d00ac89a999b4bf35e9ac42cbe9dcfba2e53b71bbfd
-
SSDEEP
24576:LyxhJeGP0MtK8cBCF+q/qoFtRxlU297xwdoPLXLYzyfwym:+xfY9aFRj3Uk7xwK7LYzyft
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2788-36-0x00000000025B0000-0x00000000025CA000-memory.dmp healer behavioral1/memory/2788-38-0x0000000002740000-0x0000000002758000-memory.dmp healer behavioral1/memory/2788-39-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-66-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-64-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-62-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-60-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-58-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-56-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-55-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-52-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-50-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-48-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-46-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-44-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-42-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/2788-40-0x0000000002740000-0x0000000002752000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1127248.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1127248.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1127248.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a1127248.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1127248.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1127248.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ca2-71.dat family_redline behavioral1/memory/1540-73-0x0000000000050000-0x0000000000080000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2452 v0542600.exe 3280 v4402829.exe 3668 v0075410.exe 5104 v3317171.exe 2788 a1127248.exe 1540 b8570157.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a1127248.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a1127248.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0542600.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4402829.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0075410.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v3317171.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 888 2788 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0542600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4402829.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0075410.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3317171.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1127248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8570157.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2788 a1127248.exe 2788 a1127248.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2788 a1127248.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2452 2408 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe 83 PID 2408 wrote to memory of 2452 2408 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe 83 PID 2408 wrote to memory of 2452 2408 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe 83 PID 2452 wrote to memory of 3280 2452 v0542600.exe 85 PID 2452 wrote to memory of 3280 2452 v0542600.exe 85 PID 2452 wrote to memory of 3280 2452 v0542600.exe 85 PID 3280 wrote to memory of 3668 3280 v4402829.exe 87 PID 3280 wrote to memory of 3668 3280 v4402829.exe 87 PID 3280 wrote to memory of 3668 3280 v4402829.exe 87 PID 3668 wrote to memory of 5104 3668 v0075410.exe 88 PID 3668 wrote to memory of 5104 3668 v0075410.exe 88 PID 3668 wrote to memory of 5104 3668 v0075410.exe 88 PID 5104 wrote to memory of 2788 5104 v3317171.exe 89 PID 5104 wrote to memory of 2788 5104 v3317171.exe 89 PID 5104 wrote to memory of 2788 5104 v3317171.exe 89 PID 5104 wrote to memory of 1540 5104 v3317171.exe 102 PID 5104 wrote to memory of 1540 5104 v3317171.exe 102 PID 5104 wrote to memory of 1540 5104 v3317171.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe"C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 10887⤵
- Program crash
PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2788 -ip 27881⤵PID:1316
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5c2bbe8bd1e80a2f48059b04c7cd11bde
SHA164e97c9b7893d40a930443dcf743df7a5dcb7f4e
SHA25613551439918324677f46962917b0f0dc0b71b89fc67df72dd07efcf29f4cb5d0
SHA51296580c2b641554d207fc20babd7ad1d73e803739e1cfd38b3c8363b9fe2d3222748e6cc6df159cbdf910104a9af03a99f619fa22ad283569522e61da7c0aec2c
-
Filesize
915KB
MD5eddf4f2b1482817ff4b22823517d5678
SHA19febdb700493319e91a4dd894f78be7b33a38dcf
SHA2561cb3196e4ec73885fab962b0ee3a4fb305b5bb7fc3672290daf85b732f35eeba
SHA512b1d1eb848bce392f65035ad7f3af4a206aa8b96a960b2fe7e3f6fbdf95f8e287469d67982ad531c357ab5672f91d9e836c9d0e170e2a0d4f1ea6916c1a57b6b2
-
Filesize
711KB
MD529131b1510b1b60f24352ed1edd40526
SHA1ddd34b1b990f6647e22d5e16db081616aee8ce39
SHA256bac40793b843f87dd8f4c27dbfa2e3f36bc35867b330ae802ae1cf7c8965716a
SHA512f78b117984cbb48ac2c2d2c9b2e5b1ca90f87b7968366f1e20a96da939b03a386e06544b21dbc8a2ba32ac898e1285c2d335a69aa8be8698f639bffe2ec807ff
-
Filesize
416KB
MD5629e40181ab18436bdc0095fbdcce0f1
SHA1cea24929d12f7c81cbe99f18dab5730a754b8b31
SHA25634a34c89818be9d879d4cfa9f0d106626140cc34055872a76d0d684c40dcc750
SHA5121828bf8f2305ae0fd7ee9092643ee3a5dca0a0148c729e1ad71dc117b2fb7b4abcddd3f1de96fa9c87c6b925a3e44ee698641c2654451682b77080c5aab051e2
-
Filesize
360KB
MD511c6770626e17a30d4078e870bfd8cf6
SHA1279419e5f9ee1d8d1ca29d4f0e10212dcc61943c
SHA2569821b56849736195bdea8ee32b4794373fbc98a8669b628ce428f54444d1a432
SHA512bf4630950b146da923d7d73804fc85b60a11b9ad935ed70476d5ceb624f60a80c3a59d8b0c12b4e18c8581a598d92caf2048ceebaccb19d680e473624dc5931c
-
Filesize
168KB
MD564bc6d593b05287b0a7674bcb311024e
SHA1bc81dd0d632087e20a2bf5e161265590eae494bc
SHA256751dfc69bf3afc492291aee956716913be2aa6178c51e7d876793bafb16cc028
SHA512ddd691024c3798b6ea3d2e8a46bb58ce07697db3a3de085ced9bd5f1fcb2a4132f613b2ee9dbd2e354c6941aaf857245ee0a1bddded1bcd929efba21a4b53134