Malware Analysis Report

2024-12-06 02:42

Sample ID 241110-a5zhnavncy
Target d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75
SHA256 d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75

Threat Level: Known bad

The file d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

RedLine

Modifies Windows Defender Real-time Protection settings

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:48

Reported

2024-11-10 00:50

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe
PID 3960 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe
PID 3960 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe
PID 412 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe
PID 412 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe
PID 412 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe
PID 412 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe
PID 412 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe
PID 412 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe

"C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe

MD5 4192dcec8a09c53db7392d97dce22c1d
SHA1 0a6185daed30c6e50ebc719a88b6570b1630508b
SHA256 5f68d1fb8a272e948f4f73a88c4cbed5c54f5c1e1912ab1d50003eafd1ea1bf1
SHA512 27f32c0e316f1cf1f700d04eafa0c50e1e697fe95638ce4d1239d5aa6defdb2a33d6b752eba7b376df16fba00c4c8a2b4aa84406d944e672c978b3e707fc11de

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe

MD5 31efd3ebb928fab6d261e5f67a9e4970
SHA1 054ebca622f337e29b83c1b25a72f9f51a096cec
SHA256 c59ad7f60e981d83514332bcc94513434f262142c0ba171ba0e21186fc232a6d
SHA512 b70f630c51d8a88ac98f1b7033e622f2e97c9661407aee46a2ffc60dcfff8f5769aa257d5626829b3bd28d405591d91c8bb13d49a2c93ec9a6382ba6ac8c3d2d

memory/2820-14-0x0000000073E2E000-0x0000000073E2F000-memory.dmp

memory/2820-15-0x00000000024C0000-0x00000000024DA000-memory.dmp

memory/2820-16-0x0000000073E20000-0x00000000745D0000-memory.dmp

memory/2820-17-0x0000000004AB0000-0x0000000005054000-memory.dmp

memory/2820-18-0x0000000005080000-0x0000000005098000-memory.dmp

memory/2820-19-0x0000000073E20000-0x00000000745D0000-memory.dmp

memory/2820-31-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-47-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-45-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-43-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-41-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-39-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-37-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-35-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-33-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-29-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-27-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-25-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-23-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-21-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-20-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2820-48-0x0000000073E20000-0x00000000745D0000-memory.dmp

memory/2820-49-0x0000000073E2E000-0x0000000073E2F000-memory.dmp

memory/2820-50-0x0000000073E20000-0x00000000745D0000-memory.dmp

memory/2820-52-0x0000000073E20000-0x00000000745D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe

MD5 0d79f2e411dc275f0a96fed19d0ee0f7
SHA1 a6aec4f7c5bc82c1e4ec4b5bf1adbc65d18452e9
SHA256 59eade537224d7c4f5f79baea68cbe4400d0fa273b8849ebfdb2667eac7068fe
SHA512 e048878812f790218b9a5ba65290ddb17543146ea0e883faf008a1438547e0917d4d1a67b08e95bd73b874e3497c312309c53cccc259abfe181cbcb5a6fbc834

memory/2728-56-0x0000000000630000-0x0000000000658000-memory.dmp

memory/2728-57-0x0000000007900000-0x0000000007F18000-memory.dmp

memory/2728-58-0x0000000007390000-0x00000000073A2000-memory.dmp

memory/2728-59-0x00000000074C0000-0x00000000075CA000-memory.dmp

memory/2728-60-0x0000000007410000-0x000000000744C000-memory.dmp

memory/2728-61-0x0000000007450000-0x000000000749C000-memory.dmp