Analysis
-
max time kernel
145s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe
Resource
win10v2004-20241007-en
General
-
Target
b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe
-
Size
1.5MB
-
MD5
ecf993ec2c1e0431c3d363929730177e
-
SHA1
5f6166e3a6f58dbfe8c612445474658e96fdf6e2
-
SHA256
b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8
-
SHA512
7a0c8b4e7c1cb01c59defa6dfc98797683b277519bd9151edbdbbea381ba38e7e528121c8dce439f5e3daaf4eb634fb0a13810ff4086e27f8409f3bba793ebac
-
SSDEEP
24576:Ty/DHL3xeY3I9Tl+KMZwFR3555q/H7O1Z5xLSM3VVchAWaiXCBLAHAnhuB:mzL3gYY9oTexYq1Z5l1VVtACK
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1092-36-0x00000000027C0000-0x00000000027DA000-memory.dmp healer behavioral1/memory/1092-38-0x0000000004C90000-0x0000000004CA8000-memory.dmp healer behavioral1/memory/1092-62-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-66-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-64-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-60-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-58-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-56-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-54-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-53-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-50-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-46-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-42-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-40-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-39-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer behavioral1/memory/1092-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1064045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1064045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1064045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1064045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1064045.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a1064045.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb8-71.dat family_redline behavioral1/memory/2424-73-0x00000000005C0000-0x00000000005F0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2560 v3842466.exe 1972 v6372058.exe 1908 v9748104.exe 2452 v5927231.exe 1092 a1064045.exe 2424 b9994316.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a1064045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a1064045.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3842466.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6372058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9748104.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v5927231.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 116 1092 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9994316.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3842466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v6372058.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9748104.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v5927231.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1064045.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1092 a1064045.exe 1092 a1064045.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1092 a1064045.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3156 wrote to memory of 2560 3156 b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe 83 PID 3156 wrote to memory of 2560 3156 b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe 83 PID 3156 wrote to memory of 2560 3156 b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe 83 PID 2560 wrote to memory of 1972 2560 v3842466.exe 84 PID 2560 wrote to memory of 1972 2560 v3842466.exe 84 PID 2560 wrote to memory of 1972 2560 v3842466.exe 84 PID 1972 wrote to memory of 1908 1972 v6372058.exe 85 PID 1972 wrote to memory of 1908 1972 v6372058.exe 85 PID 1972 wrote to memory of 1908 1972 v6372058.exe 85 PID 1908 wrote to memory of 2452 1908 v9748104.exe 86 PID 1908 wrote to memory of 2452 1908 v9748104.exe 86 PID 1908 wrote to memory of 2452 1908 v9748104.exe 86 PID 2452 wrote to memory of 1092 2452 v5927231.exe 88 PID 2452 wrote to memory of 1092 2452 v5927231.exe 88 PID 2452 wrote to memory of 1092 2452 v5927231.exe 88 PID 2452 wrote to memory of 2424 2452 v5927231.exe 100 PID 2452 wrote to memory of 2424 2452 v5927231.exe 100 PID 2452 wrote to memory of 2424 2452 v5927231.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe"C:\Users\Admin\AppData\Local\Temp\b3d5ab564087df4a3ec94f347632d687df5d33a7f6dbf189a55de377346560a8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3842466.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3842466.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6372058.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6372058.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9748104.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9748104.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5927231.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5927231.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1064045.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1064045.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 10647⤵
- Program crash
PID:116
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9994316.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9994316.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1092 -ip 10921⤵PID:4492
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5fd2e8e81e4e70b562c3d703439f21b6c
SHA1e708f7c28f710e7cffa2704cdf1d1ae0c7182723
SHA256e31f64178480ba5c94cc232415be93f3b9e37d4d971e3961d7a9a5e3e6e10473
SHA512128b6c85592deb139e82df54a8eb48925d10a8ed62342b7b504909d10f24a399fccf7a088797ba06cc93833621952cb197e18918db015d94adc6c2928843e618
-
Filesize
912KB
MD53654476e5db895dce8034ab802e4c425
SHA1f35a60d168b8c8e0240f9118c40f1e896ce5be48
SHA256603ac481405ca2617afbc90f80329b27066d37a6f0e6d210d29f6bf113c603b4
SHA51215c7d37188b0badfee96fb6223271580c5466b10468c86442fbfdbc54f9f1602d1ab43bf38ca8331c894b1dc064b08da57966166249afaae7943ecb5f5094b80
-
Filesize
708KB
MD5f7e631a15b093677e2b7b04a142eecff
SHA1670612d844e5c9a7eff8318373bc8d3118d6a457
SHA25639839819d0d8344d00f01268c335c2ee62317524b1452b9f94cd7f859d141c33
SHA51273b5a02ea50a40b546a2268032979449b7baf25d94c62ce4aa7aaef4d5013581dc0da839ec86da52dea027c454c6f5d4c1e2b35852de20742dd9409b4a04fe8e
-
Filesize
415KB
MD557d3d9105ecff00b29dd119826169da2
SHA124076af1edec9c25277eb5ddcf2c65fdccc1b83a
SHA256140690c679725069b81d27b2d0f217a46268e921f7a445503c81ca94dd580220
SHA512fc1403e3761ecb6afc527cae02cb9688c45b56fe4ac3849053de33a962c6e1105bb9c8bdeb106f9b68ce644e5740802a0078b67264181cee001d5c8346f5f9b2
-
Filesize
361KB
MD57317134b8a770bf2a727b51587afc618
SHA18ca0ebc01c94fe497c9f5f3e406595e8cac7e63a
SHA2561034deb35f434f51408bbd661abb3c76f2d491a8b6a18585596702ecab089b9c
SHA512aa2be26f0738c2096f8c3dd47c1695db201a02aa1f6c5acbd42582cc31c77b54ae3d4000a39af7249c7fa0ed069f299cb591c992ea5975851f29599329e32e19
-
Filesize
168KB
MD5b2d58eb21b05418540b82d5e3b580521
SHA1893bf1dfc6f06187cf393cc47e02193f12490788
SHA256f0bd24c18697c8c184e399444bfbfebd4202e793a01ebfa803be36938a56f955
SHA5128e3aed1685a57c54d889344c88683d807b17c1427aa0acdcd08ee71b87730aa4ba01fc987a13f49752a1e4576b279ea96e1fc7b4995b26808e0d56fa4a575cdc