Malware Analysis Report

2024-12-06 02:41

Sample ID 241110-a71thawcpa
Target 14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65
SHA256 14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65

Threat Level: Known bad

The file 14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

RedLine payload

RedLine

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:51

Reported

2024-11-10 00:54

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe
PID 1000 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe
PID 1000 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe
PID 4024 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe
PID 4024 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe
PID 4024 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe
PID 4024 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe
PID 4024 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe
PID 4024 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe

Processes

C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe

"C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe

MD5 020d6fd5b61a106381825fa475443248
SHA1 dfcd18bf71413dbc92a0a0fc613b0c3e669c8541
SHA256 03d139af50212ba23b2a4efd54732ab55ab02ea06dc821aa1caea07c7206490a
SHA512 809d8e89628a01360a4166c396d826383fe0b0995c2e88d621027dcc55327f9058ad0bc88e096d346d87233e911485dadbe3033204e23d2ad452b574a51cac9a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe

MD5 10e4c3432efaf08c0d45d6d557145dfc
SHA1 2a833d82019e8b0ff25338c1df0cf5c72148db2a
SHA256 8aa209302f8c3e72d527177ff4b58100767e7018c960bc0d844611f13c71b162
SHA512 30a2951bb45bb880a5d2a15ad9b6e172d7880a54d561f69f0a7f72a906282a71881e5f8c4f0b3db1f261f086ca9b4c7313cf36e84527e4a604535b3bc88b83e4

memory/4464-15-0x0000000002D00000-0x0000000002E00000-memory.dmp

memory/4464-16-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

memory/4464-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4464-18-0x0000000004800000-0x000000000481A000-memory.dmp

memory/4464-19-0x0000000007540000-0x0000000007AE4000-memory.dmp

memory/4464-20-0x00000000048E0000-0x00000000048F8000-memory.dmp

memory/4464-32-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-48-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-46-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-44-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-42-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-40-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-38-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-37-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-34-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-30-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-28-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-26-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-24-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-22-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-21-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/4464-49-0x0000000002D00000-0x0000000002E00000-memory.dmp

memory/4464-51-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

memory/4464-50-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4464-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4464-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe

MD5 4bfb46ed0b4719461401d9f022823588
SHA1 5922f8e111fe3c94533bd6b19ba31a26af0412c6
SHA256 0630c9484d34c621bcd1e5e96a8acb099dba138bee7da681c708877d2e71727a
SHA512 2b9f03dfdb5ee7a1a46192d40bc369deac05efa6ca76effee5cc625fa5db23871ead4e5f1df84e46651dfa0aeb50cdaeec5d1d7aa505e378094a2cbb1e748cf0

memory/4464-54-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/3268-60-0x0000000004970000-0x00000000049AC000-memory.dmp

memory/3268-61-0x0000000004A10000-0x0000000004A4A000-memory.dmp

memory/3268-73-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-77-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-93-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-91-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-89-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-87-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-85-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-83-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-81-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-79-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-75-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-71-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-69-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-67-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-95-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-65-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-63-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-62-0x0000000004A10000-0x0000000004A45000-memory.dmp

memory/3268-855-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/3268-854-0x0000000009F80000-0x000000000A598000-memory.dmp

memory/3268-856-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

memory/3268-857-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

memory/3268-858-0x0000000002FF0000-0x000000000303C000-memory.dmp