Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe
Resource
win10v2004-20241007-en
General
-
Target
6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe
-
Size
1.5MB
-
MD5
c0136c6d16ec065beae0650612a6ebf7
-
SHA1
70d6ed2f524277291def026ed770d87c1c73c6bc
-
SHA256
6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f
-
SHA512
5a1c9f13aa78193a8f0ed9e9d4587fe9ac56346d8de47970bd9e363e2fb751de2da773c6fedc955915ae70033a69064ac9f6021d06c22baa8148dada91aeb05b
-
SSDEEP
24576:+yK+CVKAEto0QRmP54cY8U7hDxOSKYsm2sMju98KKJwf6cfz0wP17rCMQsIi:NptZQRmP54cY8UzLlrKcB6FcPhr9QT
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2876-36-0x00000000027A0000-0x00000000027BA000-memory.dmp healer behavioral1/memory/2876-38-0x0000000002940000-0x0000000002958000-memory.dmp healer behavioral1/memory/2876-39-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-58-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-66-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-64-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-62-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-60-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-56-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-54-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-52-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-50-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-48-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-46-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-44-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-42-0x0000000002940000-0x0000000002952000-memory.dmp healer behavioral1/memory/2876-40-0x0000000002940000-0x0000000002952000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4373057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4373057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4373057.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a4373057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4373057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4373057.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb0-71.dat family_redline behavioral1/memory/3604-73-0x0000000000190000-0x00000000001C0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4848 v2911199.exe 2756 v4999647.exe 460 v1729603.exe 4176 v2499822.exe 2876 a4373057.exe 3604 b2589349.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a4373057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a4373057.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4999647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v1729603.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v2499822.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2911199.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 780 2876 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2589349.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2911199.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4999647.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1729603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2499822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4373057.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2876 a4373057.exe 2876 a4373057.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2876 a4373057.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4196 wrote to memory of 4848 4196 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe 84 PID 4196 wrote to memory of 4848 4196 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe 84 PID 4196 wrote to memory of 4848 4196 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe 84 PID 4848 wrote to memory of 2756 4848 v2911199.exe 85 PID 4848 wrote to memory of 2756 4848 v2911199.exe 85 PID 4848 wrote to memory of 2756 4848 v2911199.exe 85 PID 2756 wrote to memory of 460 2756 v4999647.exe 87 PID 2756 wrote to memory of 460 2756 v4999647.exe 87 PID 2756 wrote to memory of 460 2756 v4999647.exe 87 PID 460 wrote to memory of 4176 460 v1729603.exe 88 PID 460 wrote to memory of 4176 460 v1729603.exe 88 PID 460 wrote to memory of 4176 460 v1729603.exe 88 PID 4176 wrote to memory of 2876 4176 v2499822.exe 89 PID 4176 wrote to memory of 2876 4176 v2499822.exe 89 PID 4176 wrote to memory of 2876 4176 v2499822.exe 89 PID 4176 wrote to memory of 3604 4176 v2499822.exe 101 PID 4176 wrote to memory of 3604 4176 v2499822.exe 101 PID 4176 wrote to memory of 3604 4176 v2499822.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe"C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 10807⤵
- Program crash
PID:780
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2876 -ip 28761⤵PID:3712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5ba79cbea9effe6dc0ee1f36fd5bec90f
SHA1665bc0d8ff821dd8882af4029f7538eba1608e24
SHA2568a56de00e4523b5ae1f7061c1b46d460d7d086fb8bc5e69e77b975b190350a65
SHA512e839ffb1bf473e0d1d6d17d72e5fdc4f1bfe9d221d505830745b7c006a225860f8bd0b6e8fd83dcf8c1a0477536380ed63066819ad05f568108fa81800537281
-
Filesize
912KB
MD590ceb6739a3159d30167a978b04a9a86
SHA1d5258e4e66ac3987ed911eca9623308f3596f3d1
SHA2566ed3aef7cc439dd9e5459256166a5f09a26482691e432bd0b0331b20e408782b
SHA512994a9053532b85b9805c82aebf1302c5d165affb405947be0697355ac458dab35a3f4e692c0838ec02db8a7c2cbf00e4a79dcc5cc16609f74104a0399d273022
-
Filesize
707KB
MD5d24c8e45e3e1f65a7d074951239966a6
SHA1611e4fd1a9e9a426ed2e1ae5c0eca444d3bc2717
SHA2565f6c12f27cd904d3da2e648f30e42ff49fb9ffcfb70068a7cf6b4a19b9508baf
SHA51261430556a034879f16e245274910b6f53c9c2b03b771ffcf001ce2dc59dfb9b6405a3fefe46d64c7eb99d71649a6722de133f30ed652b2ed971ed531b10711bc
-
Filesize
415KB
MD5a2e62b85ad312ced58cee9477867f307
SHA1f1b3a2c94c0c06ca81bbd91f192dc112a3b16843
SHA25659361d376b15092ef2d367801bd0b918500d9e99aea69038ac8613f92dc9077c
SHA5124b14ffcda58bbd6d9666d3d291ddf3f42e5cf506537a030071846bd4d0c14dcc85af6a3d6ede4c0ebba806c922071fe4a25b07198d28419c64df7939d3ca1778
-
Filesize
361KB
MD55b18e7864656a3f338e822f80f1a22a1
SHA1e291cd21442236df2b1bfa05c8a405f2c2dcd854
SHA25651fe6fc09d8c6995953689fa21307777c17f47cbab07f115ab7d640330d4b875
SHA5129cff407e452efeba01b8fdb573498eec989434df7ea33d3150b6feaee2e2238e335f648013ad1d21db67b3e3ad7aad98d028c34a24aaab61435590e8cb2811e8
-
Filesize
168KB
MD549e7c55d8a831b3e5b44d7415fbc1ae5
SHA1db91597221746d8e2d6331e6b68efacb05589786
SHA2563efacae0672f2d6f33539b3c82bfd8653802bf12f69dcf25a66abda091bb003b
SHA5123d9349978fa9d13bcbe85bbee6e56132280c4b8e71caf9482255d39f8742a6ac4065205be502b26bb22c6993fef69bee2512924e415d7c6673cab85d127d239f