Malware Analysis Report

2024-12-06 02:45

Sample ID 241110-a5wf1awckf
Target 6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd
SHA256 6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd

Threat Level: Known bad

The file 6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Healer

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:48

Reported

2024-11-10 00:50

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe
PID 2520 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe
PID 2520 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe
PID 1492 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe
PID 1492 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe
PID 1492 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe
PID 1492 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe
PID 1492 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe
PID 1492 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe

"C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe

MD5 9e6de9329eef1cfb57af938f064f5794
SHA1 ada9daf1bd6a414de05c8f75961c2d866b513e1a
SHA256 63bf39d53d4996c5fd5dfb625bf2a299d01fb8f47902bd549b0779d43c6bbec8
SHA512 df26de995cb28ce280bf4b150107f727fc746978477967578c82b4569cd780695841608bbd2e48e98e05f03d152fc07f34202b2afd5c916ea69d795f9ce8c32c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe

MD5 e548f46d8f6f68b524aeaa561970750b
SHA1 0bbd0950e2e5bc0df8465c0f3c7461b69050bb54
SHA256 79a000a3eeaae5f078a3c8d2b8d5e9b6037d0258f1abd60d9de5dbe3a56e977f
SHA512 e6a37e6d1774a3ee5f6c53ae5e32d66eb179882671513f3c6f476072c7ee46b1ea58459dfc759667891f6dd2a4dda940e49f34d31a7363cfccbac13d6210cf9e

memory/2084-15-0x0000000002F00000-0x0000000003000000-memory.dmp

memory/2084-16-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/2084-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2084-18-0x0000000002E70000-0x0000000002E8A000-memory.dmp

memory/2084-19-0x00000000073F0000-0x0000000007994000-memory.dmp

memory/2084-20-0x00000000048F0000-0x0000000004908000-memory.dmp

memory/2084-26-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-46-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-48-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-45-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-42-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-40-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-38-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-37-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-34-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-32-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-30-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-28-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-24-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-22-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-21-0x00000000048F0000-0x0000000004902000-memory.dmp

memory/2084-49-0x0000000002F00000-0x0000000003000000-memory.dmp

memory/2084-50-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/2084-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2084-51-0x0000000000400000-0x0000000002BB1000-memory.dmp

memory/2084-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe

MD5 0c22d75e5b6393c3703fb937f5a5483f
SHA1 6af6fc45cf79ab2ab416c69a66650a684a85cd4d
SHA256 d5d5525308f4a1b6f3bbc48f0595cbe1c9ec7d7a7317ff220e2c97c1356556c6
SHA512 1e92508e4ef2ceade5af0d932834a6ec9b3a7618d394c8c2b39ccef9de439a2d79ca3729e7ccee6c4d6985c55ea092ad89cd73669400c0dfe873abb3d047c994

memory/2084-54-0x0000000000400000-0x0000000002BB1000-memory.dmp

memory/5056-60-0x0000000004AC0000-0x0000000004AFC000-memory.dmp

memory/5056-61-0x0000000004B50000-0x0000000004B8A000-memory.dmp

memory/5056-81-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-85-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-83-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-95-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-93-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-91-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-89-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-87-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-79-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-77-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-75-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-73-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-71-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-69-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-67-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-65-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-63-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-62-0x0000000004B50000-0x0000000004B85000-memory.dmp

memory/5056-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/5056-855-0x000000000A350000-0x000000000A362000-memory.dmp

memory/5056-856-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/5056-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

memory/5056-858-0x00000000049B0000-0x00000000049FC000-memory.dmp