Malware Analysis Report

2024-12-06 02:45

Sample ID 241110-a459tavnbt
Target 84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630
SHA256 84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630

Threat Level: Known bad

The file 84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:46

Reported

2024-11-10 00:49

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe
PID 2936 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe
PID 2936 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe
PID 1640 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe
PID 1640 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe
PID 1640 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe
PID 1104 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe
PID 1104 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe
PID 1104 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe
PID 3096 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe
PID 3096 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe
PID 3096 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe
PID 4292 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe
PID 4292 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe
PID 4292 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe
PID 4292 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe
PID 4292 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe

"C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe

MD5 d3e6d11be461cb5f0379562613f3ca87
SHA1 6ce2bd8d342937e3cbc0ec0ff139f8015a284c6d
SHA256 874e8e0be5c32f14a3ac1da1eede3ea68ece6d5451e3e4f33cf112e9424523b5
SHA512 e330d770b44f3e1e5031d7cd3a507945ecffd430cba03d49f9bc907b56ef509bf34c00333d4c878a5081013a82804aa056f7e7c553ba546d3168c91930e40de8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe

MD5 01c2223e2f71b7e78c763dfdd08333e3
SHA1 04e12262f259bf888528eec0bee88ff4c7944baa
SHA256 a5838ff062b3b63e3c4bb3ae1de2b5fb7ab24856e9f87d67ae6010aa7b39f5bc
SHA512 780e6bfaf31ac6f59789acc4e1deb0f61033e467cf69017be115cdf10d1b2157e5335df18ea4e68f5f0afd6347ce400ed112ca0ead64b4fc362bd74e3474bd34

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe

MD5 4794c70def557695b305734b17e13d0d
SHA1 5f42a441eaf307e462d40769fb8e056c9b1e8419
SHA256 eb40c22aa43022c558a737f7764268b39cd02645200127a1e8dbd8a54870ab1b
SHA512 704e01d27d25b435d129b240ad8cb6f90e0c7f13eeeaed638ece3bfc26c279ffb6fd4b1aae1292bc916796961689880e656aa26696184f71917234a2deb41202

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe

MD5 184fed720967656e793057022454f09b
SHA1 68fe8facff2ed509b315d51af768f4dfd9aad7af
SHA256 67288dacf00252668e9be5e2feed555edb9f3092482243b3a5e8d7daf9d6f4ff
SHA512 95f47d6256744f27901f2aa56c8dde43c8a5f5b6ec41face7fc3c7c3689ab1fa14375bef225c031444276552c552116fdc8bc67dffa1db027c14b7dcb94eca75

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe

MD5 b56255d57ccfa39a05f39a20ee60cc0a
SHA1 af80c1eecfabcdd48fece68cec63d3e15fb20b80
SHA256 288ed88964e563607ae87c0e8f825e2cf64f1b3378cf2cba47c2d72d9a484055
SHA512 b861b16a21c5abb6d6afd1949a80f0c2179eed779fb768fa3ba6868b0f50da0c4f75c3515662cba0e591c503d5ca2c68ae8c1f40e7570aebe9e280288d88060f

memory/2444-35-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe

MD5 e11ed6fc64ebc2ac86e3a4e39aa0b6b6
SHA1 ad61736c537f06c5eda7ae7064b55a37b514eea1
SHA256 8b09887654b84d73fdaf0d421b2d5910529cbfcd5a4848a23111c2612d3a1695
SHA512 43e07b129d1b0269027fca92c05cd28fcecd5c9469df0b414ad24ba1b3270f6e55c2e5b67bc4734ec43d72e0609d58c068c23560716db14cd468031cb7b6b880

memory/4344-41-0x0000000002550000-0x0000000002596000-memory.dmp

memory/4344-42-0x0000000004E20000-0x00000000053C4000-memory.dmp

memory/4344-43-0x0000000002640000-0x0000000002684000-memory.dmp

memory/4344-45-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-53-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-105-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-103-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-101-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-99-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-97-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-95-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-93-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-91-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-89-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-87-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-85-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-83-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-81-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-79-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-75-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-73-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-71-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-69-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-65-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-63-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-59-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-57-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-55-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-51-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-49-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-47-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-107-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-77-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-67-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-61-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-44-0x0000000002640000-0x000000000267E000-memory.dmp

memory/4344-950-0x00000000053D0000-0x00000000059E8000-memory.dmp

memory/4344-951-0x00000000059F0000-0x0000000005AFA000-memory.dmp

memory/4344-952-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/4344-953-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/4344-954-0x0000000005C50000-0x0000000005C9C000-memory.dmp