Malware Analysis Report

2024-12-06 02:54

Sample ID 241110-a6k2naymcl
Target 56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8
SHA256 56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8

Threat Level: Known bad

The file 56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

Detects Healer an antivirus disabler dropper

Healer

Redline family

RedLine payload

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:49

Reported

2024-11-10 00:52

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe
PID 2352 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe
PID 2352 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe
PID 2164 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe
PID 2164 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe
PID 2164 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe
PID 2164 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe
PID 2164 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe
PID 2164 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe

"C:\Users\Admin\AppData\Local\Temp\56160d602c873c42095b5f6b10e176e91203ae709ab84b96d6f46f0e42ab54f8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087545.exe

MD5 3637f5de80c7d9159b1ba7246de06d39
SHA1 727c78a84ef13a2ecde747c09f31e3a540d2c9f2
SHA256 18d76b0a3a6f25dc9f0ca537d14232b785a6d47971711752baf539f2f17815e5
SHA512 c72db6a2581db32b5c24262895c464076e6d1ad7002ac1f73b7cfef77aefbc40f437f4ef78186de6c8d69054fca59d5f81df8519e59a80c1b5b37c76028f5586

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr379130.exe

MD5 2b2243ceefe8f4ca523f4b14381fc399
SHA1 59c88cd316ac684817d9d344e289322dd90214b6
SHA256 5658582957ab651adc1d81c3016b78b47ec2a6821926f5b0cdda003943520abd
SHA512 9133f30cb77f5896a9fa710ff7c54125897dceac81ea8485e97588c5f8c61b10bf237c5da2ff33f8ee19d6f4fc5ecf2f7ed7a2afa85cf16ec0321474a50f4dc6

memory/1968-15-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/1968-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1968-16-0x0000000002C80000-0x0000000002CAD000-memory.dmp

memory/1968-18-0x0000000002E80000-0x0000000002E9A000-memory.dmp

memory/1968-19-0x0000000007380000-0x0000000007924000-memory.dmp

memory/1968-20-0x0000000004CF0000-0x0000000004D08000-memory.dmp

memory/1968-24-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-45-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-29-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-22-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-21-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/1968-49-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/1968-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1968-50-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/1968-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu461196.exe

MD5 6975ce4e5ddb81809062ce5e8cdd910a
SHA1 9cbc845740756ab8c380ef5f70cd8dfe86e56fa6
SHA256 510305c997b7166d7531932d75666260f463338938a0a0189b5189f78ba4a589
SHA512 4021700e17338f793fefc56eb8fbd1b03812b96e2094717ec6637af67ee2dcefa8b29a55773b1c8fd2da14861fe47e7195bfbe5190ee26b7db3d7f8e7c51166e

memory/1968-53-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/216-59-0x0000000007120000-0x000000000715C000-memory.dmp

memory/216-60-0x0000000007790000-0x00000000077CA000-memory.dmp

memory/216-66-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-72-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-70-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-68-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-84-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-64-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-62-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-61-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-74-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-94-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-93-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-90-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-88-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-86-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-82-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-80-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-78-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-76-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/216-853-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/216-854-0x000000000A350000-0x000000000A362000-memory.dmp

memory/216-855-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/216-856-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/216-857-0x0000000004AF0000-0x0000000004B3C000-memory.dmp