Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe
Resource
win10v2004-20241007-en
General
-
Target
7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe
-
Size
1.5MB
-
MD5
bd260c8c626a99a2c0ab801f91b3662a
-
SHA1
476f40965d4e97f2b2321c610b0fc640d3bdf720
-
SHA256
7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93
-
SHA512
ae88a84ff44ad6d74972d64881d7e08d1541797e342e264f3740407f6b64f92d6cb08f5a93b0ba689ecbc587b2d3d8570671bc2e98252c633bcf5f77cb223460
-
SSDEEP
24576:Yy7ZiSY12xT7TXKXdYi2ExSSd1RatOeJOeHli4/:fcSY12xT7LVJSdzun7D
Malware Config
Extracted
redline
maza
185.161.248.73:4164
-
auth_value
474d54c1c2f5291290c53f8378acd684
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1428-36-0x0000000002850000-0x000000000286A000-memory.dmp healer behavioral1/memory/1428-38-0x0000000002CD0000-0x0000000002CE8000-memory.dmp healer behavioral1/memory/1428-39-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-66-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-65-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-62-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-60-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-58-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-56-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-55-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-53-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-50-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-48-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-46-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-44-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-42-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer behavioral1/memory/1428-40-0x0000000002CD0000-0x0000000002CE2000-memory.dmp healer -
Healer family
-
Processes:
a35099503.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a35099503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a35099503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a35099503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a35099503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a35099503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a35099503.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe family_redline behavioral1/memory/4672-73-0x0000000000D60000-0x0000000000D8E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
i98174832.exei87601930.exei35293944.exei78992619.exea35099503.exeb39310875.exepid process 2756 i98174832.exe 5112 i87601930.exe 4060 i35293944.exe 3492 i78992619.exe 1428 a35099503.exe 4672 b39310875.exe -
Processes:
a35099503.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a35099503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a35099503.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exei98174832.exei87601930.exei35293944.exei78992619.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i98174832.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i87601930.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i35293944.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i78992619.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2412 1428 WerFault.exe a35099503.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
i87601930.exei35293944.exei78992619.exea35099503.exeb39310875.exe7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exei98174832.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i87601930.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i35293944.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i78992619.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a35099503.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b39310875.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i98174832.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a35099503.exepid process 1428 a35099503.exe 1428 a35099503.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a35099503.exedescription pid process Token: SeDebugPrivilege 1428 a35099503.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exei98174832.exei87601930.exei35293944.exei78992619.exedescription pid process target process PID 4896 wrote to memory of 2756 4896 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe i98174832.exe PID 4896 wrote to memory of 2756 4896 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe i98174832.exe PID 4896 wrote to memory of 2756 4896 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe i98174832.exe PID 2756 wrote to memory of 5112 2756 i98174832.exe i87601930.exe PID 2756 wrote to memory of 5112 2756 i98174832.exe i87601930.exe PID 2756 wrote to memory of 5112 2756 i98174832.exe i87601930.exe PID 5112 wrote to memory of 4060 5112 i87601930.exe i35293944.exe PID 5112 wrote to memory of 4060 5112 i87601930.exe i35293944.exe PID 5112 wrote to memory of 4060 5112 i87601930.exe i35293944.exe PID 4060 wrote to memory of 3492 4060 i35293944.exe i78992619.exe PID 4060 wrote to memory of 3492 4060 i35293944.exe i78992619.exe PID 4060 wrote to memory of 3492 4060 i35293944.exe i78992619.exe PID 3492 wrote to memory of 1428 3492 i78992619.exe a35099503.exe PID 3492 wrote to memory of 1428 3492 i78992619.exe a35099503.exe PID 3492 wrote to memory of 1428 3492 i78992619.exe a35099503.exe PID 3492 wrote to memory of 4672 3492 i78992619.exe b39310875.exe PID 3492 wrote to memory of 4672 3492 i78992619.exe b39310875.exe PID 3492 wrote to memory of 4672 3492 i78992619.exe b39310875.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe"C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 10807⤵
- Program crash
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 14281⤵PID:1908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD53c98863833f7aff1acd4bff0efb307f1
SHA1656a7cb936d6259d34a213726cdf8b5b523bfe97
SHA256341acf51528ad025d37942ca95d59951251a1a0be2481bc67c77890900489e48
SHA512872ad99d20d10c184f1e1349e573541cb4eb9d8dc4ed06130b068e989806a232be5c64a58acda968ba000bce45b1f6bd5c8de747df95719cf2aa5a5978fdece7
-
Filesize
1.1MB
MD5b402b9b957eedae731e6788176d04a6c
SHA10d73034cd207695202a31b04ec78a44bac91a564
SHA256a72d9c94332ccb234e04b2709f59c59dcbb5c1010d5fc735318a86ebe2144b3e
SHA512fd65a56c29021dcb67752d4c797b593c94b228d99879738544772a78d24f9ded0480a5ee8271e93fd08ac804c5700f5aa1afb6e4b4c43f6cde07cc4835fb9cae
-
Filesize
683KB
MD572723222ddbf76f6e4bb67b780697991
SHA1223647d8a4af3e509ed6f0868daf728c952abbf8
SHA256f296f95567a42a829b71590870e72de0ce023f4f7b9d7c76a1470345072c3d73
SHA5120694ce1467b1f1f6c974a2d0541096752a62202fe63e30e8799fd048244ec2da24ee8cf1e9ddfb794846b3316a25ddf64cb5b2ed8a4ed8cd435287f75e8647d2
-
Filesize
405KB
MD54ceaababa053a38b19ad1df4dd401db0
SHA1e4e119fa4cb9d5debd5bb7cc3c00d9daf5bc0897
SHA256855751103c09f7a38813db03fa1ede42a70b864994072f48e07e423ff87263b7
SHA5128b0f0b433fa010feb4ac5b3a8c625801b1055ff9cd8e1c3c3557d71696a2c1178ef8831711548e34d0ca316b4fd5e7a5e6a55871235410ad24bcce349795b60a
-
Filesize
344KB
MD5b497921f7dcb828b7b38daa1eaf7158d
SHA1cce97fdc1d8a77a52ef5cb29597eb83863c2f4a6
SHA25630c09deb736f1c9accdad3875587ab5654850929f90839f84aa47480968f6ecb
SHA51275c6a8fc7f04c161eab6779520a0bfc9fcd789bcc78e6a9d3f6bc991407793bab00964864bfaaa5f31007d0a13fe0dd011339122c7694914cf9b1da5dfdf05a1
-
Filesize
168KB
MD5c53ccc3e6ee89031dcb6760cdd081ad4
SHA1c8ea70aa2d2043a2077e4cbaa593581c8b39e9aa
SHA256886adce7dcfc2e7fca15ac78afa9947db515cf7c36c7e997fdefb9d5fb5be1fc
SHA5122f24d77e2fb522e9a8b537d560987140d64460e2eb909ccb18a599076633a7796d8fc195435d9910007a452fb7dcab3f1315d20b11c940363e9891aad3134548