Malware Analysis Report

2024-12-06 02:45

Sample ID 241110-a39wlswbjl
Target f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505
SHA256 f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505

Threat Level: Known bad

The file f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505 was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Healer

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:45

Reported

2024-11-10 00:48

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe
PID 380 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe
PID 380 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe
PID 736 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe
PID 736 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe
PID 736 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe
PID 2028 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe
PID 2028 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe
PID 2028 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe
PID 2028 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe
PID 2028 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe
PID 736 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe
PID 736 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe
PID 736 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe

"C:\Users\Admin\AppData\Local\Temp\f971e3fc82bbc1e6b7c926aa645a1a78a1eaf1b3529271cd205d857d24043505.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9164.exe

MD5 5a22a13ba5416f0435c43d9ef88bee8a
SHA1 11cb1bceae533659c8be93b65c4cdf64f2e98adc
SHA256 d84c72ffa7d392682c376864ad711b75c14be5bd1e5f596d49a4f498f5e86ecb
SHA512 e5b0c7c6d0d10ac6eaf606b54ef00d4160f8c7c1187b3484635bd2e76908b3b17870424d86a1f55c9c7ce61e0c76b015bba518f0b70697bb1aa30efce91a5523

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5684.exe

MD5 843ac67580aadcdc404441b4ec9fcf44
SHA1 2f7808667fcdd480b4cda33841034769f0b2019e
SHA256 737317ef442912e90f3d434c5a632026f8f36dc6786ef71510a05fe9eb99d675
SHA512 db7d9efd5942ccb96f2fc8fc782f73b58a352de3168fb62c46e13ca40caddd64b3b6b43d5ddf76c2a6f40936c8cac47d71cfd5bbe7fe43cebe90e49ae737f640

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9092Xr.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4880-21-0x00007FFA03393000-0x00007FFA03395000-memory.dmp

memory/4880-22-0x0000000000440000-0x000000000044A000-memory.dmp

memory/4880-23-0x00007FFA03393000-0x00007FFA03395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c78Bo27.exe

MD5 8335f38e72428df1f57bac47a8aa2a2b
SHA1 5dec4bdd0ace4468a2c7c2ae77824b64d4c07348
SHA256 4b7fc6c0eae7479dd74be4904c10f9e897a6f6ea43a5669c25b331c701145d1d
SHA512 eaa532ebc91da02e2f5f9dd5c2a4ca805af54e85400581701e6b19641954bb5e373ea44e13542c1ce3131fe2edc53e84b5780e0507ad2bc26a472a1828e05b09

memory/5096-29-0x00000000046A0000-0x00000000046BA000-memory.dmp

memory/5096-30-0x0000000007240000-0x00000000077E4000-memory.dmp

memory/5096-31-0x0000000004CA0000-0x0000000004CB8000-memory.dmp

memory/5096-32-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-39-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-57-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-55-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-53-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-51-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-49-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-47-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-45-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-43-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-41-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-37-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-35-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-33-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-59-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/5096-60-0x0000000000400000-0x0000000002B05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyDzp64.exe

MD5 9249be1596002fe8092f8e4c4fadc919
SHA1 9bbbca401fa812add0183c8ce8f60556386910e8
SHA256 5293fb84f128c06827369462fe082a50c3847977511cdac5d17923726b03dccc
SHA512 4bfe6190e22666e083adde935d405590d4010676ee7b7f5c6ff98fa7d431190e34ecf7aab0650aa45793ed3bfa6cf6edab87cb3290ea8a6aac27e6cf4373cc6d

memory/5096-62-0x0000000000400000-0x0000000002B05000-memory.dmp

memory/1420-67-0x0000000004C20000-0x0000000004C66000-memory.dmp

memory/1420-68-0x0000000007150000-0x0000000007194000-memory.dmp

memory/1420-90-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-102-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-100-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-98-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-96-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-94-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-92-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-88-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-86-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-82-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-80-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-78-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-76-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-74-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-72-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-70-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-69-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-84-0x0000000007150000-0x000000000718E000-memory.dmp

memory/1420-975-0x0000000007850000-0x0000000007E68000-memory.dmp

memory/1420-976-0x0000000007E70000-0x0000000007F7A000-memory.dmp

memory/1420-977-0x0000000007240000-0x0000000007252000-memory.dmp

memory/1420-978-0x0000000007F80000-0x0000000007FBC000-memory.dmp

memory/1420-979-0x00000000080C0000-0x000000000810C000-memory.dmp