Malware Analysis Report

2024-10-16 03:50

Sample ID 240501-1z831shb6t
Target 5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff
SHA256 5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff
Tags
healer redline dark dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff

Threat Level: Known bad

The file 5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff was found to be: Known bad.

Malicious Activity Summary

healer redline dark dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Detects executables packed with ConfuserEx Mod

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-01 22:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 22:06

Reported

2024-05-01 22:09

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe
PID 4848 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe
PID 4848 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe
PID 2956 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe
PID 2956 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe
PID 2956 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe
PID 2648 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe C:\Windows\Temp\1.exe
PID 2648 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe C:\Windows\Temp\1.exe
PID 2956 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe
PID 2956 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe
PID 2956 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe
PID 4848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe
PID 4848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe
PID 4848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe

"C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe

MD5 b4739ea60f15eb6ba8fbdc5eac898bcb
SHA1 fdb92d0e62090b4905aceaee3d0223381d16bf82
SHA256 1e76796e3f059435c6cc911c09ff4b9d344408967840a3f09e5f902feb660fa5
SHA512 76bde1021618cb750d07383bfe4c36eaeb7915d55bd6a99a5527d2d185d276b2f51613f0cd0211f879e3c915b20fdead0a933a004becb25d018c3e9f58ccdc40

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe

MD5 a6e57af537e534299bc6a62830929d27
SHA1 dba2d850a6ac1dfbfd65c270342482bd47d5697d
SHA256 7f1beab773fb86c553330b4b9ddefc47d946d1c18ffde4318ea8ceeeeeaee9a2
SHA512 dbd565c08178aae2da49abcc5e2388ef06be7d8f445ab9ce4659f58e666ee10cc80b386a1d67381b2db13ec0bbc97a86db780f0ac9e54bca27881885c5bb553c

memory/2648-14-0x0000000073BDE000-0x0000000073BDF000-memory.dmp

memory/2648-15-0x0000000004910000-0x0000000004968000-memory.dmp

memory/2648-17-0x0000000004B00000-0x00000000050A4000-memory.dmp

memory/2648-19-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/2648-84-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-82-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-80-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-74-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-72-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-70-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-68-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-66-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-64-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-62-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-60-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-58-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-56-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-54-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-52-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-48-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-46-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-44-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-2151-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/2648-2164-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/5260-2163-0x0000000000C60000-0x0000000000C6A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe

MD5 6a3d723b02bf5ff554f5bb99bdc9bfcb
SHA1 47ae2a203e2e41e17d078fe0d766570c1e30e65b
SHA256 ace2eb0e8f4dc0cef1f2307217222cd2db5acd060d565dc773e0b61a89b72c79
SHA512 5cb7419958b61168a7a4f3e8763a35af040b756aee8b4f9ec783ec24152bd35120cbec5d950342d5bce1d147343cef4a23cff635877514fc7c54039b7fdfef92

memory/2648-2149-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

memory/2648-42-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-39-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-37-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-35-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-33-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-78-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-76-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-50-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-41-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/2648-31-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/5072-2169-0x00000000025D0000-0x0000000002638000-memory.dmp

memory/2648-29-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/5072-2170-0x0000000002A40000-0x0000000002AA6000-memory.dmp

memory/2648-27-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-25-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-23-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-21-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-20-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/2648-18-0x00000000049F0000-0x0000000004A46000-memory.dmp

memory/2648-16-0x0000000073BD0000-0x0000000074380000-memory.dmp

memory/5072-4317-0x0000000005760000-0x0000000005792000-memory.dmp

memory/5072-4318-0x0000000005790000-0x0000000005822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe

MD5 16cf18c8ef1d4be89b36e27c8fb88e9d
SHA1 7811ba84f75a1adc6d995c2c1121ec996d1cc003
SHA256 116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8
SHA512 4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

memory/2468-4325-0x00000000025E0000-0x00000000025E6000-memory.dmp

memory/2468-4324-0x0000000000340000-0x0000000000370000-memory.dmp

memory/2468-4327-0x0000000004ED0000-0x0000000004FDA000-memory.dmp

memory/2468-4328-0x0000000004E00000-0x0000000004E12000-memory.dmp

memory/2468-4329-0x0000000004E60000-0x0000000004E9C000-memory.dmp

memory/2468-4326-0x00000000053D0000-0x00000000059E8000-memory.dmp

memory/2468-4330-0x0000000004FE0000-0x000000000502C000-memory.dmp