Malware Analysis Report

2024-12-06 02:51

Sample ID 241110-a56lzaymbr
Target 3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421
SHA256 3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421
Tags
healer redline stek discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421

Threat Level: Known bad

The file 3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421 was found to be: Known bad.

Malicious Activity Summary

healer redline stek discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

Healer family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:48

Reported

2024-11-10 00:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSn2626dF.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txr10At31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSn2626dF.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txr10At31.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421.exe

"C:\Users\Admin\AppData\Local\Temp\3622ea50ee56c7ecdf9485930252235507969bf65388f0ac5aded57def748421.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSn2626dF.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSn2626dF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txr10At31.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txr10At31.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSn2626dF.exe

MD5 4e47101bf27f017820dcb3e5a057444c
SHA1 63ead52dbd99998b33db9a1d0bcc170f573fac39
SHA256 4312db0071ba50b0e257b2ea748ce0c90f9acc4361133f66fabd26a3a57a89bd
SHA512 ed405637a695703f6e650e6a8e777f4012a159cbfaf32969377ea4f6e4e8ff14a90acb237591fcbe4771ab1bf8066ce03b4d337fdda67d4389f9532c0f465efc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw93al02OT30.exe

MD5 8d1cf7a7f17137d8e95add5bbed05ed4
SHA1 2fcda4d8ed4107b95d478901bd0272338cac0cf9
SHA256 0cef232f16edba167413b271de9115afbac265bba9b0b166c1bb4a7b82b0cade
SHA512 a6f074e6c55cbc43c0ac882de874ca6aaf1c5fc0f18c582b3bddf6da1515fef4aeeed2e0d7858237df573b104254fd0e325dc85c3eb092554f6b7e2c3c4f5d02

memory/4304-14-0x00007FFCECE03000-0x00007FFCECE05000-memory.dmp

memory/4304-15-0x0000000000980000-0x000000000098A000-memory.dmp

memory/4304-17-0x00007FFCECE03000-0x00007FFCECE05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txr10At31.exe

MD5 664a015342c3d330ea7ab67d0430d67f
SHA1 3a8e746dca1380e17f53af011ce5fba72752614e
SHA256 bb1eb4ef9f8e04595b4251c05ae567901df5130b8288c3b245b0696bb5c07974
SHA512 865c245a2ec64268486c7f24f766d69daafb59f11458825eb4fbe9e2b791759309ebf9c735efde97704d9368c6f4361f88cdf79cfafa50f2905c2dabe0f73441

memory/3476-22-0x0000000004CE0000-0x0000000004D26000-memory.dmp

memory/3476-23-0x00000000071E0000-0x0000000007784000-memory.dmp

memory/3476-24-0x0000000007790000-0x00000000077D4000-memory.dmp

memory/3476-88-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-86-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-84-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-82-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-80-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-78-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-76-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-72-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-71-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-68-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-66-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-64-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-60-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-58-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-56-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-54-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-52-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-48-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-46-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-44-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-42-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-40-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-38-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-36-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-32-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-30-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-28-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-74-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-62-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-50-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-34-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-26-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-25-0x0000000007790000-0x00000000077CE000-memory.dmp

memory/3476-931-0x0000000007800000-0x0000000007E18000-memory.dmp

memory/3476-932-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/3476-933-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/3476-934-0x0000000008000000-0x000000000803C000-memory.dmp

memory/3476-935-0x0000000008150000-0x000000000819C000-memory.dmp