Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 06:06
Static task
static1
Behavioral task
behavioral1
Sample
c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe
Resource
win10v2004-20241007-en
General
-
Target
c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe
-
Size
1.5MB
-
MD5
75bb1a2efde3362d07efba529c18fe6b
-
SHA1
24bc69309c87a9084631f3d29c48c8c9a6da34ad
-
SHA256
c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a
-
SHA512
e5b5df896a9107f4c8f5e3e2415d333184adc1ac46193e632bdb2d37b119908c20692fcea81bbdc78ed62b5f540f17f7789c5fbdabbbfdd693923b999c65d8e5
-
SSDEEP
49152:iFI85xMCRmehBR8HxFjY21Tm+o1pDfZS:OB/PRCrjY21hgfZ
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2840-36-0x00000000025C0000-0x00000000025DA000-memory.dmp healer behavioral1/memory/2840-38-0x0000000005260000-0x0000000005278000-memory.dmp healer behavioral1/memory/2840-66-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-64-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-62-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-60-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-58-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-56-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-54-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-52-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-50-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-48-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-46-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-44-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-42-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-40-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/2840-39-0x0000000005260000-0x0000000005272000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9208970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9208970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9208970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9208970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9208970.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a9208970.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023ba0-71.dat family_redline behavioral1/memory/4224-73-0x0000000000190000-0x00000000001C0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 1368 v9179795.exe 5004 v4844003.exe 3056 v6289766.exe 2232 v7559900.exe 2840 a9208970.exe 4224 b1716979.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a9208970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a9208970.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6289766.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v7559900.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9179795.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4844003.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3496 2840 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7559900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9208970.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1716979.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9179795.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4844003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v6289766.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2840 a9208970.exe 2840 a9208970.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2840 a9208970.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3952 wrote to memory of 1368 3952 c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe 84 PID 3952 wrote to memory of 1368 3952 c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe 84 PID 3952 wrote to memory of 1368 3952 c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe 84 PID 1368 wrote to memory of 5004 1368 v9179795.exe 87 PID 1368 wrote to memory of 5004 1368 v9179795.exe 87 PID 1368 wrote to memory of 5004 1368 v9179795.exe 87 PID 5004 wrote to memory of 3056 5004 v4844003.exe 88 PID 5004 wrote to memory of 3056 5004 v4844003.exe 88 PID 5004 wrote to memory of 3056 5004 v4844003.exe 88 PID 3056 wrote to memory of 2232 3056 v6289766.exe 89 PID 3056 wrote to memory of 2232 3056 v6289766.exe 89 PID 3056 wrote to memory of 2232 3056 v6289766.exe 89 PID 2232 wrote to memory of 2840 2232 v7559900.exe 90 PID 2232 wrote to memory of 2840 2232 v7559900.exe 90 PID 2232 wrote to memory of 2840 2232 v7559900.exe 90 PID 2232 wrote to memory of 4224 2232 v7559900.exe 98 PID 2232 wrote to memory of 4224 2232 v7559900.exe 98 PID 2232 wrote to memory of 4224 2232 v7559900.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe"C:\Users\Admin\AppData\Local\Temp\c3946caa70c4cb0fa44dc3f2dad509df2d30a6e6635e1185865aafa63f64ce1a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9179795.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9179795.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4844003.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4844003.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6289766.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6289766.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7559900.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7559900.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9208970.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9208970.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 11007⤵
- Program crash
PID:3496
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1716979.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1716979.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4224
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2840 -ip 28401⤵PID:4688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD52e207dc63ab586a55054355ff71e2fd5
SHA1f12a1fd05a41329349ba2636d263683bbbc2e214
SHA256cbd175322eca2ea83704dfc6f877b9febed7242a804ec574a7c5a11ddad73190
SHA5127b3e7990c8ae4e7509772fbe6f0538d0ce9ef453db7c69d8ebee2088140bd019a06abba17eb0310bbdc58f72218086f4b6883f022042589aec6980812c701985
-
Filesize
911KB
MD501a9c22a07a01e5cd7adf1aa065ce2d2
SHA136d0fd6777ef60d467760bab906caad001260ba3
SHA256df5caac79fae2bf1fbca8294ad5614f9ebaab661aab615d82ad71f843b43664e
SHA51201928e5b6a40add74104936c86f2f212d785e5d71bd974cc8c824c4f2134ee3b763f8d18c76338dd63dfaa91582bc2f270f279e11d84137d333740115231aa25
-
Filesize
707KB
MD543fc0f034d3b70b488e00d4a83109ce5
SHA12ae13c45aac417652a21300d438d78b099bda08e
SHA256a4fb4b3c9f0a51ba5ce23d77f0a027e015c718f9f26e0f97c13aabfdb9302b8c
SHA512cb626e53e18a59ced8644a9d3d28d7c318113fb42ef0eb8b83c83a62f892dc867ab63ad9530b7d98b2d892cfacb398faae31df5800f78ad0248afde0892b1ddc
-
Filesize
416KB
MD5e8cbfbcc12685b36f889e19a6f0085d2
SHA1d5335aa3dd7629e4a68b7bf20927bbc991535012
SHA256dc74a60bc1e607574c3cda15b0857701347495ed6e849587b7877a05378d1c74
SHA512fefdfed83b2e681384dc7f33630a0ed0622faa661e716c59269f5a712125154adabcd0cf08e75be804157c1cea55aff5617726822897f2e39f26c7339cbed293
-
Filesize
360KB
MD57d830e4021c662a95f42fd457f978239
SHA1e270069e8715ec239c3de5071fa48b747a1da121
SHA2561ef1a68ce4affda4f5ea8bd09154edbbb2bda86d8c97422eedc8dc4ee49dc7d0
SHA512afc88d885d7b6433460c008fc3d6133f530b44ecbb0eb5f60b69ed4554ba5516c9660e64d60c1f6532e30c18dc577b3e6803deec58455b65eda9eff106f24ac5
-
Filesize
168KB
MD5d5934bb399a5e0758d75f66a2871b476
SHA1ab572c7774cde8139a9d5c52aac6228479db2d42
SHA2567e7771b083fc201e7262e716826a26639e9a17936d07442fe1750041db61d581
SHA512ab7e3e74fe38950857de70290e559eea6aeebb3c4a7fe1e815bf9680efba77e8a532602b9c3c330f23ab832dda43a5cab3aba739c7f8d518d87d895c2f68bbad