Malware Analysis Report

2024-10-16 03:42

Sample ID 240507-b99pvsga97
Target d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844
SHA256 d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844
Tags
healer redline dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844

Threat Level: Known bad

The file d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844 was found to be: Known bad.

Malicious Activity Summary

healer redline dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

RedLine

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables packed with ConfuserEx Mod

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 01:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 01:51

Reported

2024-05-07 01:54

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe
PID 3016 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe
PID 3016 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe
PID 4092 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe
PID 4092 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe
PID 4092 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe
PID 4092 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe
PID 4092 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe
PID 4092 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe

"C:\Users\Admin\AppData\Local\Temp\d7fc0af08c7889254cdf65ba417997f9d7d84c8c0c78665c4165c55cc6865844.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1976558.exe

MD5 43b84af92c8494c5f900585fe2e09764
SHA1 2e5627c40ccc8de56e387ca7f44b2a6d178d5a51
SHA256 05a1128c35808cf04a3552b238bfc7e0cf1b531695cda5a05b2b26d965e906e2
SHA512 887345cd70236ef96bc6dbc648c5f345d1297a7bd37131defd32f00af7fa055785f392e138799527eb608f6016f14caf781bf953a6a6efbb42a2a20a6b4b9160

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1735670.exe

MD5 e49886750e95b2674393077cf2ee9b0a
SHA1 dc81ee1850826dfedd36382d1b5a5bf913e1a986
SHA256 9ad5deeafca80f6bfacfb2290d072b3c8f00e819e295a42e0fb989b0b2edacac
SHA512 65c5099fb31e8ff4ffeac09440f2e434e3804e142d440e54ae0052a33e5a116b4fb56c40c4184c7206cf854b8345529bccf94333cf00b551371d55445bf1e2fb

memory/4440-14-0x0000000073D7E000-0x0000000073D7F000-memory.dmp

memory/4440-15-0x0000000002150000-0x000000000216A000-memory.dmp

memory/4440-17-0x0000000004BA0000-0x0000000005144000-memory.dmp

memory/4440-16-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/4440-18-0x0000000002420000-0x0000000002438000-memory.dmp

memory/4440-36-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-45-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-42-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-40-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-38-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-32-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-30-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-26-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-24-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-22-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-20-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-34-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-28-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-19-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-47-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/4440-46-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4440-48-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/4440-50-0x0000000073D70000-0x0000000074520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5217824.exe

MD5 710515fb2c667ad83d8b3547e921f712
SHA1 085d65dc42e2b7baa04caf2206f2e9ede48b2591
SHA256 05c7f7137651ae6586b92f59e3391c5775a3d28175ac83e89be55843d1c35a1e
SHA512 db8f4e21c85715274c9c61a22c638d39d25c098d4921a32c68d9a8cacacf600fcd217a552e12ee074d3ff5f177572c6b4ee10a3592075c0c44bfa58007c70566

memory/2440-54-0x00000000007B0000-0x00000000007D8000-memory.dmp

memory/2440-55-0x0000000007A70000-0x0000000008088000-memory.dmp

memory/2440-56-0x00000000074D0000-0x00000000074E2000-memory.dmp

memory/2440-57-0x0000000007640000-0x000000000774A000-memory.dmp

memory/2440-58-0x0000000007570000-0x00000000075AC000-memory.dmp

memory/2440-59-0x00000000075B0000-0x00000000075FC000-memory.dmp