Malware Analysis Report

2024-12-06 02:54

Sample ID 241110-a6qxxaymcn
Target 4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6
SHA256 4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6

Threat Level: Known bad

The file 4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

Healer

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:49

Reported

2024-11-10 00:52

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe
PID 1612 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe
PID 1612 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe
PID 2388 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe
PID 2388 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe
PID 2388 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe
PID 2500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe
PID 2500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe
PID 2500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe
PID 2060 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe
PID 2060 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe
PID 2060 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe
PID 3988 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe
PID 3988 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe
PID 3988 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe
PID 3988 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe
PID 3988 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe

"C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe

MD5 17f19aaf947d2edd2b09265af50dfed0
SHA1 abe1f3f8ae72e57c6d33cd5f5235a82def6cd341
SHA256 8d77382f1e881df5618db6e5c93932fc4e54f51fa865e4b622f0c9b316eb7c16
SHA512 8adfbb4778c3ac6cd41a8d8efa63def87dcdba66820dacc3b6a827139ebcc12d57a16e2e6e0fc137e0bc4f111cffe5f9c7dca16848fb07002025d2424ac1f990

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe

MD5 b05adc378d54514af5a755d70b0d05bc
SHA1 64cf3fa442fe850da91cf2a34d30ca875970f2f1
SHA256 3067461989bd17ec2cd96861b0570faa4edd5a06fdc4fa496b5a1b53cafbdda7
SHA512 88b58448a73901d00e732bf4b699db9ff93309d978a4d8d55c6847d36cefe2815b10be9ffc56650621af0ebdb50303d757e55bfb7a39984656ad95398944009f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe

MD5 4135897fed3629cd1aac4e4d8eb824d9
SHA1 2d73bd0d928d910c0e7d26be2a890fb8b8125d3a
SHA256 f79b399fe3cdc1b0a68f20d37f76708f6a988a94eae5198008aa642b471804ee
SHA512 0c1a454a70328eccbc7412d5fa9750008e8856187a071c6eb1ed606601858b89c5e046c31c9874c188b3bff29f0d6ff2e47162f2ab8c1c909959d211bc684b68

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe

MD5 09c38477322a254cf981f68f93508af3
SHA1 44f49d2f933bfba8b15c21c15489f4e915592d0a
SHA256 82967d26380507a7e59180a6d82fb1c967bed8b0608e2d5203ef8b9d016de704
SHA512 7ccd33243ae8ccfc3e1273d5aac45de296fd3fe2e2513a454ca04771fd9247263c77f56fd422396ecce7e02bf0a6c0ed83ae5998f926f755a454d542efe40b37

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe

MD5 f628231a8dcbdf0a2881b9223b427751
SHA1 b34e2772add22fd6a3df2ebed11ad0c4c4c05022
SHA256 50f79e1b3b49ecb78c49cd85fd6ab6166b65191916b63f3970a922b1e59349a0
SHA512 f8a66e1691ca831c25e73d067398b356fb6ced422383b7f8815bdeeffd730bf01b576ea7ede19b6551e5b9bccf3a6d6fe9251065d5103fafb6bb90257118537b

memory/2572-35-0x0000000000C70000-0x0000000000C7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe

MD5 47b1a20db297f70b1d9db60ea51d14d9
SHA1 b55664710122138d23e0e295dcade2b9aea41120
SHA256 80aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287
SHA512 e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288

memory/1628-41-0x0000000004B00000-0x0000000004B46000-memory.dmp

memory/1628-42-0x0000000007280000-0x0000000007824000-memory.dmp

memory/1628-43-0x00000000071F0000-0x0000000007234000-memory.dmp

memory/1628-47-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-65-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-63-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-61-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-59-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-57-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-55-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-53-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-51-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-49-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-93-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-67-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-45-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-44-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-107-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-105-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-103-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-101-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-99-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-97-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-95-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-91-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-89-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-87-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-86-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-83-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-81-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-80-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-77-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-75-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-73-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-71-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-69-0x00000000071F0000-0x000000000722E000-memory.dmp

memory/1628-950-0x0000000007940000-0x0000000007F58000-memory.dmp

memory/1628-951-0x0000000007FE0000-0x00000000080EA000-memory.dmp

memory/1628-952-0x0000000008120000-0x0000000008132000-memory.dmp

memory/1628-953-0x0000000008140000-0x000000000817C000-memory.dmp

memory/1628-954-0x0000000008290000-0x00000000082DC000-memory.dmp