Malware Analysis Report

2024-12-06 02:42

Sample ID 241110-a131aaylem
Target 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c
SHA256 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c

Threat Level: Known bad

The file 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:41

Reported

2024-11-10 00:44

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe
PID 8 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe
PID 8 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe
PID 2700 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe
PID 2700 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe
PID 2700 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe
PID 3232 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe
PID 3232 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe
PID 3232 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe
PID 3232 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe
PID 3232 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe
PID 2700 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe
PID 2700 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe
PID 2700 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe

"C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1260 -ip 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe

MD5 4690e66bf12ff6f4e1008fa73f05e00a
SHA1 747225b04df7949d8763905e91cae03349b72a2d
SHA256 c038930accf215ccd6131b7779c7138e506e313c170abb6cc20d528e306371be
SHA512 5f2db42d03181647fb97c52aa8ab8b0da9bd6e976cb217d7dd8e917b422a86e00fb11d972f3d6b06a9664c27272fa72fcf8153cac670cf2b7c280b4ff6a1c61b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe

MD5 3a5820a8fee9833d5b486e60502677f5
SHA1 42bc63f25deae86b694bf607230909bff91f3b2d
SHA256 17080a59f7489790629c61c70fde514b70ed5cfed705da159d375e96d3b96b82
SHA512 d618d39bf9990e1554eb9876e9c13d82e74122745c88ac63a0fcbe978be8135375dce5a0666b129f057c34884e8a86300e2afa808cb4ef6384a04022a7d833c6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1668-21-0x00007FF9F5383000-0x00007FF9F5385000-memory.dmp

memory/1668-22-0x0000000000850000-0x000000000085A000-memory.dmp

memory/1668-23-0x00007FF9F5383000-0x00007FF9F5385000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe

MD5 ff1800b6e8f9a60395425226a5a76d1c
SHA1 0872a5e7a2c25b60df6b1ccceb39d472658ad502
SHA256 4fe41b77721fb7a0794c189fa93ad03ad938a6085c77914a0f174b5bc4129ee1
SHA512 27585f4743067bc1bfc2dfe048f01779fe10595a52545d6b90e60b67a9fbb0aeb97e75941f4ccd705ba58a96cccc4b00af8c1f3d4d4b5fa8591f62560311911a

memory/1260-29-0x00000000048D0000-0x00000000048EA000-memory.dmp

memory/1260-30-0x0000000007190000-0x0000000007734000-memory.dmp

memory/1260-31-0x0000000004A30000-0x0000000004A48000-memory.dmp

memory/1260-57-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-55-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-53-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-51-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-49-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-47-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-45-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-43-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-41-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-39-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-37-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-35-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-33-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-59-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-32-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1260-61-0x0000000000400000-0x0000000002B1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe

MD5 acf946990cce268bab83e423eba360f4
SHA1 0d3bdccf0182f0807380473466d5b6b60f193904
SHA256 17cd8db80e084509a543f7ec21399d4f9cf9c8906d6890a3db4da80854bf8d27
SHA512 aed8bd98b0f033d724091419548880c463be734886c8a5e0b8065a66060b350783221049475d0fad4999425d03b8dcc889e7fbff7b9fd3b1575f1745f3e7f4f1

memory/1816-67-0x0000000004A60000-0x0000000004AA6000-memory.dmp

memory/1816-68-0x0000000007120000-0x0000000007164000-memory.dmp

memory/1816-92-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-102-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-100-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-98-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-96-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-94-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-90-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-88-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-86-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-84-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-82-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-80-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-78-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-76-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-74-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-72-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-70-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-69-0x0000000007120000-0x000000000715E000-memory.dmp

memory/1816-975-0x0000000007860000-0x0000000007E78000-memory.dmp

memory/1816-976-0x0000000007F00000-0x000000000800A000-memory.dmp

memory/1816-977-0x0000000008040000-0x0000000008052000-memory.dmp

memory/1816-978-0x0000000008060000-0x000000000809C000-memory.dmp

memory/1816-979-0x00000000081B0000-0x00000000081FC000-memory.dmp