Malware Analysis Report

2024-10-16 03:50

Sample ID 240507-b549ksfg79
Target 49111f64bed0ab901f9a2a7f547cba60_NEAS
SHA256 a20ea0ab1ca65283cd9159a21f6ea1d68985284bd9238692a3dd365994b2ac85
Tags
healer redline maxbi dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a20ea0ab1ca65283cd9159a21f6ea1d68985284bd9238692a3dd365994b2ac85

Threat Level: Known bad

The file 49111f64bed0ab901f9a2a7f547cba60_NEAS was found to be: Known bad.

Malicious Activity Summary

healer redline maxbi dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 01:44

Reported

2024-05-07 01:47

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
PID 2488 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
PID 2488 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
PID 4088 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
PID 4088 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
PID 4088 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
PID 2152 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
PID 2152 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
PID 2152 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
PID 1228 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
PID 1228 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
PID 1228 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
PID 1228 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe
PID 1228 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe
PID 1228 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe

Processes

C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 1848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe

MD5 e8980977e58b9fd9c13f524fd8a658d5
SHA1 40febb2c8384b6e3426d13992368d20bd66791ce
SHA256 f9348f70f20678feb7d4580f7f2fb02f7c9d7f74d2a97a237e6e69fa2720d29a
SHA512 e7e7c41aa01e310e35a3654ca23f8d7e6b3359b7b1d8e6cad3be1ff90f145d4f0f7cec065558b16d587073f16e1e9ec472b33cd8605eaaf0f2289fb240c7fd17

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe

MD5 6d28c016ec3bd44c24eaffbfd4f6594b
SHA1 e0be36cd101a2fbd2ffafb57df853010206f2219
SHA256 49d18927a5f28348ab021ec9d18614010944e23c2fadf6c433f0f6490fdfcd44
SHA512 dda126762aa8c98eacf65122ed652250065c02ec699d4500f712346cf98fd3f940326b2c425175ac3d0a634ba6850071ed98bf3386f6b8a6fe7de1403874eb78

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe

MD5 37b5d514093f0f3d0172ca0cb12b33c7
SHA1 751d92e88bbe17ffd9305b411102e7bfbdcf661c
SHA256 d2f9e82d090720f093b0e932076e70d26c8a218ba8cff3b0c0ea2bce0685dae0
SHA512 260daf462895dd942274cd348c186c99ddf21e84bc8e05ee438050f989fb105afc6284074212c5050206138ead3921b81ceca89d9d3afe1b1fa425b0082788c2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe

MD5 62e9646d364ac3efb8354c701b3484e8
SHA1 78e60202c2bef0a5317d2c2f83cd89bffb9ae524
SHA256 169418cc1306e46283bdd82686d6474b9f19108980c3e414b6590ff9ddc8c9ab
SHA512 af2c9646ea81f710e79c9158d300c2107e6b95845e0412d4f0700e414665179eb188e7750855cefb6ba66492a4ca5a330b4bf7eec14a047cbd9187ea1d5c3fec

memory/1848-29-0x0000000002910000-0x000000000292A000-memory.dmp

memory/1848-30-0x00000000051D0000-0x0000000005774000-memory.dmp

memory/1848-31-0x0000000002AB0000-0x0000000002AC8000-memory.dmp

memory/1848-39-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-59-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-58-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-55-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-53-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-51-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-49-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-47-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-45-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-41-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-37-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-35-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-43-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-33-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-32-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1848-61-0x0000000000400000-0x0000000000A67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe

MD5 05b6d6ba56e96207d2e4e3a48bbb6e97
SHA1 5ee840ebdc955d2e3d8d5987db8dd061daedf012
SHA256 895cd5ebc24e7d4c97774f9ffdcdcbb5699c7303646204688a7d8a526ea38551
SHA512 05e6e94bc225ab93f93479c9d609f2901662ca5ae0c166802801e880df8565972f217e00711764bd50c1f54bf4c039636e72f997fb3c727888e6540f9c92667e

memory/4560-66-0x0000000000F90000-0x0000000000FC0000-memory.dmp

memory/4560-67-0x0000000003130000-0x0000000003136000-memory.dmp

memory/4560-68-0x000000000B2B0000-0x000000000B8C8000-memory.dmp

memory/4560-69-0x000000000AE00000-0x000000000AF0A000-memory.dmp

memory/4560-70-0x000000000AD30000-0x000000000AD42000-memory.dmp

memory/4560-71-0x000000000AD90000-0x000000000ADCC000-memory.dmp

memory/4560-72-0x0000000003180000-0x00000000031CC000-memory.dmp