Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q3y24s1dkj
Target ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306
SHA256 ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306

Threat Level: Known bad

The file ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306 was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Detects Healer an antivirus disabler dropper

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:47

Reported

2024-11-04 13:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe
PID 1744 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe
PID 1744 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe
PID 1564 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe
PID 1564 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe
PID 1564 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe
PID 1564 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe
PID 1564 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe
PID 1564 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe

"C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe

MD5 bf7e39ec562c99d9a2fae026c086e2bf
SHA1 746bc76f915e254e3858c4a750e3584a356867c0
SHA256 da08fb395715a877394a52d18e11f88f29f220578a0ce8d8b705dc9a1c9b81bb
SHA512 0c982c79f8357e04e063a97720d151adc3319f7769a417fa2f5f66891988f3e8b19e6e1b3aa1c9ae47a6176b75b6e53bf034c0bcf404f70f6e52db0c23de8b11

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe

MD5 1b11e39d05e005c4c7618b85ba4c2856
SHA1 337db5f06d086e884e2110b72b45540ff9186359
SHA256 90a029153e9d988bc9d2e3de9483a1086d36cb92f31c20a5df412b7522deaed6
SHA512 00cbca6f8801b950d7fec64f457fd14a984ec81741a38607f13f3d628849240c979a9ff1fbf9df9e9f57cd7b56d4bc7eb60ec87d977a59b4b35742714482fc0e

memory/3988-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-15-0x0000000002C60000-0x0000000002D60000-memory.dmp

memory/3988-17-0x00000000047A0000-0x00000000047BA000-memory.dmp

memory/3988-18-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/3988-19-0x0000000007260000-0x0000000007804000-memory.dmp

memory/3988-20-0x0000000007120000-0x0000000007138000-memory.dmp

memory/3988-44-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-48-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-46-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-42-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-40-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-38-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-36-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-34-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-32-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-30-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-28-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-26-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-24-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-22-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-21-0x0000000007120000-0x0000000007132000-memory.dmp

memory/3988-49-0x0000000002C60000-0x0000000002D60000-memory.dmp

memory/3988-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-50-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/3988-53-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/3988-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe

MD5 988853f50c2c7c3c9a99f57c9c9912e9
SHA1 4507f13547ad4b55559b3e0e7eaf2200d64d0b6c
SHA256 1f712f3e564fef313b31e185a3766a4226ab6563c4ef1f0a04487f576f2b43b0
SHA512 cbb0917942862118162c14ac80a1a76ecbddc13806a068fe8d46dad8f67966a775d882db8f5e9f1809a91203a89684b21a23622353e1166c30f4408643c54bd9

memory/4996-59-0x0000000004AC0000-0x0000000004B06000-memory.dmp

memory/4996-60-0x0000000004C60000-0x0000000004CA4000-memory.dmp

memory/4996-78-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-94-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-93-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-90-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-88-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-86-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-84-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-82-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-80-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-76-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-74-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-70-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-68-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-66-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-64-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-62-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-72-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-61-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/4996-967-0x00000000078A0000-0x0000000007EB8000-memory.dmp

memory/4996-968-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

memory/4996-969-0x00000000072B0000-0x00000000072C2000-memory.dmp

memory/4996-970-0x0000000007FD0000-0x000000000800C000-memory.dmp

memory/4996-971-0x0000000008110000-0x000000000815C000-memory.dmp