Malware Analysis Report

2024-12-06 02:42

Sample ID 241110-a1psnaylej
Target 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca
SHA256 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca

Threat Level: Known bad

The file 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer

Redline family

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Healer family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:40

Reported

2024-11-10 00:43

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe
PID 4848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe
PID 4848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe
PID 4304 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe
PID 4304 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe
PID 4304 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe
PID 1080 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe
PID 1080 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe
PID 1080 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe
PID 2192 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe
PID 2192 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe
PID 2192 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe
PID 1560 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe
PID 1560 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe
PID 1560 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe
PID 1560 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe
PID 1560 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe

Processes

C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe

"C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe

MD5 774ec1b85e2464f6dd976f5b6d45b951
SHA1 6e4b495016df3bcc506f381aaff6f9c0db0349dc
SHA256 4f63b81561c55d2c60e6f1f817c98ac047c030f2601ea0680e09a58afd4d303c
SHA512 d5694da3dbc49085ff15f484ef2cf972f78023737d3f13602accd38d2d4cf96086056e66fe7abed5ae47719fa20da59bc68ac517640a8e91e9c2c46ce6aa1651

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe

MD5 1670fe2dbe107a0ba3686654fae3a45e
SHA1 116d8089e6f90247c212873f19e5aad458796628
SHA256 033ee569e3c02d815de203af44e906d6689e4450c0c6884544be6da7945aa778
SHA512 4d11865d0365c84236e88f36ff12abd0b1229b82b3d897b67fd20ace3497d3c4a1cf9bc16230a00027f2a2863e44ca9cb8f6744997dd920f19012baaa7613b9f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe

MD5 b3276b3addc278a3dd6ab5202a90ecf9
SHA1 e0accbc721bd261e1dd5f7ac9f33452312db9538
SHA256 10ae59c17e79537fa44eb36f1bd02a577e020019e5bb4c9446189c8b08457534
SHA512 e07c1b25f2e940600ee4c121bfca2e45f26db4000acaf42cb45ddba5b5f8a9a59c43faccf55d9d96f2015f3e65ee8f1403be859b86709042f18c0342dce60eb3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe

MD5 1adfa2e21a1b14455f10c6bdb3b5b7c8
SHA1 a64cd7a61ce216e6124d5e8515068db67041da93
SHA256 67c3953eb171e68d650a29107070cf67108f67fa540ac2a2a35796d074994404
SHA512 eb9662c30bad9d5481558660e5f1078e7851ee674744496164c97019129aeeea7ed040ab59f3b32f3ca7e5d69b2fff47f695b5b2b2326fcbef069385bd012ca2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe

MD5 7a509dfc2f1613b8abb6a38067f5e702
SHA1 66a278d414da14ee48086943733e5f2090cdc50a
SHA256 079a657f4163edff371bfd164a82e0e02d2aae7efabd0967ea1437c4c608686c
SHA512 3d6a9438787e7e135def1877efe883b1e7542559b166925e30c8b8088a737d496ddc2cf68b96a8dc88988bc3a2d08f7b8a97c8227efc558418195a4594b8afb3

memory/3212-35-0x0000000000760000-0x000000000076A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe

MD5 47edc698fb60063cef4e63ee2d5d05bc
SHA1 8f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA256 2561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512 b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715

memory/4672-41-0x0000000004AA0000-0x0000000004AE6000-memory.dmp

memory/4672-42-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/4672-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp

memory/4672-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-103-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-77-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-950-0x00000000051C0000-0x00000000057D8000-memory.dmp

memory/4672-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-951-0x0000000005860000-0x000000000596A000-memory.dmp

memory/4672-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-97-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4672-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/4672-953-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

memory/4672-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp