Malware Analysis Report

2024-10-16 03:40

Sample ID 240910-cd967a1gqk
Target c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e
SHA256 c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e
Tags
healer redline jokes discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e

Threat Level: Known bad

The file c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e was found to be: Known bad.

Malicious Activity Summary

healer redline jokes discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

RedLine

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 01:58

Reported

2024-09-10 02:01

Platform

win10v2004-20240802-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1552 set thread context of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
PID 2172 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
PID 2172 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
PID 1376 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
PID 1376 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
PID 1376 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
PID 3340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
PID 3340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
PID 3340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3340 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
PID 3340 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
PID 3340 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe

"C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1552 -ip 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe

MD5 c883f1794c26a640e7783945cf9a70dc
SHA1 14947c49dec62bf7327686c4ac087575c8ef4c9c
SHA256 69c0c74540a2570612b2eada0206ffc1fcd15497f442af1052a23089784116e9
SHA512 7a0561d41973670cb5757398f13f9b43a67b580e6f5aabe91983dc19810b3b71f893e5e15f92ad0db2b97cde65ff5646ac89ecf11a542be7a0f913148bc82fd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe

MD5 34fba452172a3c3a08014ddc3484c3de
SHA1 9943da1b5187826a544098f316b7fb00c841a27e
SHA256 9ba1e4660ee0dda0b84c2077255ad7a8c89ef86a7d21c0266aa7b687573cef0c
SHA512 b213f0a26ca89ddd24561a03c0d6666d091ba4b7aa2f6d949abba4273f396c3a3c9724a7f4e9a55ee0eb3a6a961aaa20af6df5b36caecb27f0321a898f3637b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe

MD5 0c669a789359ac3d23e87bc5b5d59f0d
SHA1 37e376c8dfae4aaa9f0d6d88ff761b7cde905a27
SHA256 6c8544ba231d33218273548e6f1765fdd9308e6e5c44ef21b8d908f204e9a416
SHA512 1698424393e6c1af17f5bc9e2cbc5ccec82e5a9ed1118a51527a8f2b662e8d7d356e0e0125846c5c0464df72ed02c73d5556d9d859b7d9812f2ebe420e89d8c9

memory/4664-21-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe

MD5 4635233db0644c10d38844281931bd18
SHA1 d3f57625536422c96564abc7337f133c81eee7ce
SHA256 ddfb26ceb548d7fe801c0778ec21dd467202539586d69d1436d4b34e119d4cae
SHA512 d2fd45fef06b74a5d070c9925197bbd236ea4a09fff2f1347a09a3a572a398c8429c9d7fe2740b5252a429f6dfd2facf8c5db1c4bda59da928fe06e4d4bdb1f8

memory/3276-25-0x00000000004F0000-0x0000000000520000-memory.dmp

memory/3276-26-0x0000000002650000-0x0000000002656000-memory.dmp

memory/3276-27-0x00000000054F0000-0x0000000005B08000-memory.dmp

memory/3276-28-0x0000000004FE0000-0x00000000050EA000-memory.dmp

memory/3276-29-0x0000000004D70000-0x0000000004D82000-memory.dmp

memory/3276-30-0x0000000004F10000-0x0000000004F4C000-memory.dmp

memory/3276-31-0x0000000004F50000-0x0000000004F9C000-memory.dmp