Malware Analysis Report

2024-12-06 02:45

Sample ID 241110-a41pbswbkq
Target 01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe
SHA256 01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe

Threat Level: Known bad

The file 01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer family

RedLine

RedLine payload

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:46

Reported

2024-11-10 00:49

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5793818.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe
PID 4644 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe
PID 4644 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe
PID 1004 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe
PID 1004 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe
PID 1004 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe
PID 2632 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe
PID 2632 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe
PID 2632 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe
PID 4536 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe
PID 4536 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe
PID 4536 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe
PID 4692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe
PID 4692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe
PID 4692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe
PID 4692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5793818.exe
PID 4692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5793818.exe
PID 4692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5793818.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe

"C:\Users\Admin\AppData\Local\Temp\01ac52df0826dc5ba44831e4d5aaee73662a8b4119630878b004604765a898fe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5793818.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5793818.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5623350.exe

MD5 c32a9c40ede42ecccc3680f15e3882ce
SHA1 86b9cdf5aaf481c8465b1fe930483225d1c637c1
SHA256 55a4a0a9e71b82492214d69df38030224746c5bceecdda583c1f443baaa86fd1
SHA512 94b99e005e9e41c5906d7166863067441817a8da06d5119e050525ec055d2a2b1313a832cfec2ef0c7ee61531cf69bb59b2b676c245178af00f577af02a116be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0941983.exe

MD5 3b40f22564c0f832a898042644219959
SHA1 37064b80c74e08ee5bb579ae49a19eeccf0102ee
SHA256 d73bc3acee2869b9d799abf56c418b449589982f54165ec310271fe416fe4714
SHA512 6a7f9482b4cfc3cfb69bdbc9dd672b40de04d13de27fbfce664f2652b32c1c11079df6fd5ec9c3e8ec5e6e3ed20242a5b0ce7c942d32c22e839a1ad6ebfd6394

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8677032.exe

MD5 78e782d670a4b6525fb42bdb5499812a
SHA1 bb3955586e8bc7e995732e680e396b8cb19dde53
SHA256 9e49f197a12d7fbb10c6707113a6dd1e5c5090c25da7e0a6bc92404baccc41f7
SHA512 d5cf49a62ba32b3347912e2dc9aef66880de37c9da94c1b18d384151010e6b1c5a24980e8e66d8d06e4027d3f38cd6adc256c73d3f6e38eaa0759d477b280ec7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4364316.exe

MD5 abc63c425614ba88e6d515595bcc96d6
SHA1 291deebcbf19b787d748fe72511b30990056098c
SHA256 962c965048db75f50aac7fde8de6e41244976d34886e044420aaf728fedce26f
SHA512 39124bada02ef56db318f3d30b4f73bbcbb48acc51396017f32b02a1de941d277139b9c47851a4efe7554f74390b0977e0a070eb263005609e6553446c264ba9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3816900.exe

MD5 076c0565f1653bf167a0aab334f827a8
SHA1 d8266fcd2433a12a9cacf3753a2c1fd2ee97ca73
SHA256 e999cc935cb17ca0ebafbceec6465ec549cdad73303b4546bc7b1e793e1aa748
SHA512 51c00d1cd50fae8169d6917081ca269953619d8f2e1b0c4d84e752d1735bd39f3a3cc3edf47e019b15579243e228fa8a1525f3160b38f26b29c3d5dd3666d764

memory/2660-36-0x00000000009D0000-0x00000000009EA000-memory.dmp

memory/2660-37-0x0000000004AA0000-0x0000000005044000-memory.dmp

memory/2660-38-0x0000000004A20000-0x0000000004A38000-memory.dmp

memory/2660-42-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-66-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-64-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-62-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-60-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-58-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-57-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-54-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-52-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-50-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-48-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-46-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-44-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-40-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-39-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/2660-67-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2660-69-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5793818.exe

MD5 419aebc7531c2cb6f6e22bd67056d9ea
SHA1 b3f4700ac7ce55182bb5118c10f02edce95e4c11
SHA256 320ee3dd2e5e9301f7f3cc19c296f18946d697bd4a66aea0296ff24590f5546b
SHA512 24c3fe3cfc1fa5d5f37f5de7c39523a04536702dc103b80820971afa481633a1bdffa2b3e9953645e07fd07d417f2472e4adb228ed2ad299530515c110d31264

memory/2152-73-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/2152-74-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

memory/2152-75-0x0000000005440000-0x0000000005A58000-memory.dmp

memory/2152-76-0x0000000004F30000-0x000000000503A000-memory.dmp

memory/2152-77-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/2152-78-0x0000000004E80000-0x0000000004EBC000-memory.dmp

memory/2152-79-0x0000000004ED0000-0x0000000004F1C000-memory.dmp