Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe
Resource
win10v2004-20241007-en
General
-
Target
ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe
-
Size
1.5MB
-
MD5
2c62669267c345b3a44fce9eb7471ddb
-
SHA1
2f56706db435949e7c6db65e974f501f9e2da51a
-
SHA256
ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a
-
SHA512
e1ce991619270b6446df6ef5f5a3e86fee2f799386132198b1768607047ea612522928ef84b216f0a8fbe32e5b7dcb5fb17177d81e910d56ac76f07e729d968f
-
SSDEEP
49152:bfZB7GdQXAKINApJY4CRRwTHAH9dhnbz9:DZB7Gd8894CRRwzqbhbz
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4408-36-0x0000000002720000-0x000000000273A000-memory.dmp healer behavioral1/memory/4408-38-0x0000000004C90000-0x0000000004CA8000-memory.dmp healer behavioral1/memory/4408-46-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-58-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-66-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-64-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-62-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-60-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-54-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-50-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-42-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-40-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-39-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-56-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-53-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/4408-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1387006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1387006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1387006.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a1387006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1387006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1387006.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023ba2-71.dat family_redline behavioral1/memory/1628-73-0x0000000000190000-0x00000000001C0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2532 v5214559.exe 2940 v4596024.exe 4212 v2353353.exe 968 v9453595.exe 4408 a1387006.exe 1628 b2424198.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a1387006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a1387006.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5214559.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4596024.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v2353353.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v9453595.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4984 4408 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v5214559.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4596024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2353353.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9453595.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1387006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2424198.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4408 a1387006.exe 4408 a1387006.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4408 a1387006.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2532 2332 ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe 83 PID 2332 wrote to memory of 2532 2332 ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe 83 PID 2332 wrote to memory of 2532 2332 ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe 83 PID 2532 wrote to memory of 2940 2532 v5214559.exe 84 PID 2532 wrote to memory of 2940 2532 v5214559.exe 84 PID 2532 wrote to memory of 2940 2532 v5214559.exe 84 PID 2940 wrote to memory of 4212 2940 v4596024.exe 86 PID 2940 wrote to memory of 4212 2940 v4596024.exe 86 PID 2940 wrote to memory of 4212 2940 v4596024.exe 86 PID 4212 wrote to memory of 968 4212 v2353353.exe 88 PID 4212 wrote to memory of 968 4212 v2353353.exe 88 PID 4212 wrote to memory of 968 4212 v2353353.exe 88 PID 968 wrote to memory of 4408 968 v9453595.exe 89 PID 968 wrote to memory of 4408 968 v9453595.exe 89 PID 968 wrote to memory of 4408 968 v9453595.exe 89 PID 968 wrote to memory of 1628 968 v9453595.exe 104 PID 968 wrote to memory of 1628 968 v9453595.exe 104 PID 968 wrote to memory of 1628 968 v9453595.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe"C:\Users\Admin\AppData\Local\Temp\ca9081b88b82db1133887e6b92bf460b0d10afc642076c4209523eb0469c2a7a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5214559.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5214559.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4596024.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4596024.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2353353.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2353353.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9453595.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9453595.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1387006.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1387006.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 11007⤵
- Program crash
PID:4984
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2424198.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2424198.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 44081⤵PID:1120
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5d1d618e357222f001af54b2a688b5bbf
SHA1591fda7050425168c6ec89e870b5eeb3e88494c3
SHA2561310b0e186ebb1ba261741a1497c75bb0305a5c82d8ccc05206bc7d66fae2cc2
SHA5120aac4be232c7708d2b0a83d90113d56bc9d5e8a15b5af7a96852e5e25e6480b91d4826a2fbe1d561e06dfd107a2c3f6dfab2657b134d34d9d0a10f95aebe8f74
-
Filesize
913KB
MD55699c243afcc1a08ed2308a69b193240
SHA11d831d92523c813c0c7efeb6b6b6f4bd7207858d
SHA2567a1a724670a7ed7efc7c1fe02f9554ff86883efd509c45dd8eb8f4c1218f9349
SHA5122b2b971c3d5a8232279255844d90e139071d3b5104a04d71b1e74e56882ae8a8f8ff6f5220c88e677b639a4b94073fbbc483dd84fa792a876e98eebd3c447935
-
Filesize
708KB
MD57a58f88cdd1cf449695a21d42c3a2f21
SHA1919259bc36f334dd4ce5e65cb213cdf9aa2abc11
SHA256df90a487d524318b14477fb68176c90797a22afc23509eec2b05b7385f748b3a
SHA5121a1e676f90b985cfecc180ce02f937b8f63b7b6c259e1d43a70c6b5c1b0018f1966858bbf563cf397ab29f8d207a2769ddec89600fc9728b27ae3acffdf330c4
-
Filesize
417KB
MD588e5c3b8e85319cfa0e02a9fb9df5c4d
SHA1455f71951d88f819fc405036222cd6b2996c2de9
SHA25618ecd14e0258ad4e0c3ded9dd8cae8353cf4f842505a4ce56c42968e1b206036
SHA512f8e69d669d97fea683441cf5270729cdc25c225984d3c2331fb2f9957905a20805214fcb7b1a6f730a01d7f65d4e6c9960d1ea0703213dd084e4d7ae8cbb0935
-
Filesize
361KB
MD5cef39b08253f37e4a37dedf643a3fbc5
SHA1aa907ebfec9b40f9a561af9814e33b0b1611b32b
SHA25622f4ff19fcdfef1e4d87173dd6c187af250f0f6aede3a9fdbae500b625ebacc9
SHA512ca248bd414077e23bda79488cf22a23c5e055570e9942b171fef1c7a71d8b8d96c97515fd1f39619dbd312cead5e5dd777fe69b8a1ae321a6b7d111cb618391c
-
Filesize
168KB
MD59767fb1a196d6ebd74e0e45c6134d995
SHA14a852760bb96fdc34cfd06618623eae9fbc5f944
SHA2569e40573fef61b731e4adb4489f10e3199166793d7f9a4775546742ce9a03c411
SHA512c7c2b62e2608af18af99473714578511e91b06a6551ed143cedb63bbd4c7e8debf7a5799ce31ae48e72683942ae254493ff89c0f7da18f4e77949d923bb43c18