Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-a5cnwsymap
Target 93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69
SHA256 93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69

Threat Level: Known bad

The file 93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Healer

RedLine

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:47

Reported

2024-11-10 00:49

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe
PID 4100 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe
PID 4100 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe
PID 1464 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe
PID 1464 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe
PID 1464 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe
PID 1464 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe
PID 1464 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe
PID 1464 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe

"C:\Users\Admin\AppData\Local\Temp\93419aa47139b6ee4c3700df05dbff8266f109da7300d5c4925a3357cbef0f69.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907489.exe

MD5 ecb76fa680b109883bd67242dcb36af6
SHA1 5b4ade2f4a2c991472de40f9fcbfde831cd0dd43
SHA256 80b1c27c46b4c89c7e9341ce1d3f06bcd024c2f3d8bac1ce45a4964bdc29b1fe
SHA512 8b7b5cd610f386d5ed35d6260eced0a28eb40152d8a0a400e7f42a3fb13f56ad8537181ff2141c9cd7134a60ae19e46d74ae31da8923a827aeb3577fa19e81d8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24267176.exe

MD5 431b02f23bff0b80bbc46b06d8a4bded
SHA1 029931c20bc38046425b5281433978b760ff22a8
SHA256 7e37bd45a6f5b00722e8326042633110cb17bfa445b2426e8a7f659db7dd0593
SHA512 aa604374ae3543b61e99c41fbefdab8ca176d534d47d4c52a82c4272d880a0b11293394085c3aa4dcadad2ff0c3bd8eb12754f0397c078b505b8717f6f3da7a0

memory/2996-16-0x0000000002C70000-0x0000000002C9D000-memory.dmp

memory/2996-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2996-15-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/2996-18-0x0000000004BE0000-0x0000000004BFA000-memory.dmp

memory/2996-19-0x0000000007360000-0x0000000007904000-memory.dmp

memory/2996-20-0x0000000007270000-0x0000000007288000-memory.dmp

memory/2996-36-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-48-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-46-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-44-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-42-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-40-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-38-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-34-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-32-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-30-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-28-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-26-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-22-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-21-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-24-0x0000000007270000-0x0000000007283000-memory.dmp

memory/2996-49-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/2996-51-0x0000000002C70000-0x0000000002C9D000-memory.dmp

memory/2996-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/2996-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2996-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921720.exe

MD5 8021ee584e0014faa8f1056a38fb6abf
SHA1 3fb91bd3fc92ef6bc84aa05b6d1c571ceb1372bb
SHA256 a5400e5e3d4bca8397b1a040a11f67b4424d21e8136ecb0b4065ff712a67a5ad
SHA512 3978a9a21a2103baad8b6a49456399686785161a09502d0fd8240e858476689de9ca26d7b69f22bef650fdf499a3b101f86896ca8c0b61c82a27397501e361e6

memory/2996-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4140-60-0x0000000006FC0000-0x0000000006FFC000-memory.dmp

memory/4140-61-0x0000000007090000-0x00000000070CA000-memory.dmp

memory/4140-71-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-75-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-73-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-69-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-67-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-95-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-65-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-63-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-62-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-93-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-91-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-90-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-87-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-85-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-83-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-81-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-79-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-77-0x0000000007090000-0x00000000070C5000-memory.dmp

memory/4140-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/4140-855-0x000000000A340000-0x000000000A352000-memory.dmp

memory/4140-856-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/4140-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/4140-858-0x0000000006AF0000-0x0000000006B3C000-memory.dmp