Malware Analysis Report

2024-12-06 02:41

Sample ID 241110-a7ma4symdq
Target c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266
SHA256 c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266

Threat Level: Known bad

The file c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Healer family

RedLine

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:51

Reported

2024-11-10 00:53

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe
PID 1096 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe
PID 1096 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe
PID 2200 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe
PID 2200 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe
PID 2200 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe
PID 2200 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe
PID 2200 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe
PID 2200 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe

"C:\Users\Admin\AppData\Local\Temp\c4d1bb95154ec4771e6b36938e44951208ef17f9e9d33d2b50537b10c84e2266.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1084 -ip 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un083356.exe

MD5 828ee0c5fdb0a12b9f1a17a9d6983bdf
SHA1 f0cd7489dbeec1b1b45627fb23064064b2d713aa
SHA256 21c18215dc5d2e1a8c84a71b656ede1250b2c1cd8c34f9df87f2d4f5bc2ecfeb
SHA512 59107e32f6057a2117d676b8e83a43cb082431aa66699f9247b0b644388b671ffa6f069c6d867b0e0d0d4bcb12f3888dfc7b676279d634c01cc4da462701f43d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5155.exe

MD5 372aa68e07020572e13dace611faf9e7
SHA1 1c1988621f9542c3e36824cbbc096655dafb21ff
SHA256 482f6ce57da48382993a1ceddb7ba92057c3e6f0db41392cc2d0c850a8f15690
SHA512 4c70efbffe364e6e223f4613421e9ca349c6a7816e69e16ff6eb08635fb80b6bc2cc489c3153fb241d5e4b2e47f6db8cf579df4cf3ac780cc6cfc344c03849cd

memory/1084-15-0x0000000002D00000-0x0000000002E00000-memory.dmp

memory/1084-16-0x0000000002C60000-0x0000000002C8D000-memory.dmp

memory/1084-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1084-18-0x0000000002F30000-0x0000000002F4A000-memory.dmp

memory/1084-19-0x0000000007240000-0x00000000077E4000-memory.dmp

memory/1084-20-0x0000000007120000-0x0000000007138000-memory.dmp

memory/1084-38-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-48-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-46-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-44-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-42-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-40-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-36-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-34-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-32-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-30-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-26-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-22-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-21-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-28-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-24-0x0000000007120000-0x0000000007132000-memory.dmp

memory/1084-49-0x0000000002D00000-0x0000000002E00000-memory.dmp

memory/1084-50-0x0000000002C60000-0x0000000002C8D000-memory.dmp

memory/1084-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1084-51-0x0000000000400000-0x0000000002B84000-memory.dmp

memory/1084-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6631.exe

MD5 bc6951f400fe1beea8a018524ed163bc
SHA1 9806e990dc1d73c41a43df086325ea58b683eacf
SHA256 5ec7063d0bfdff0b7433998ff4142a8cc428fe3c2919cf5b07bb34e162867eb8
SHA512 9748143dc92b85d4c25d6dfc643798693699c21b19d7c07f6111939b22e5115511f355feacfd9a6d1fddd3b5bfd34b41f78cc34ef177e709459d2e50cde8fe17

memory/1084-54-0x0000000000400000-0x0000000002B84000-memory.dmp

memory/392-60-0x0000000004960000-0x00000000049A6000-memory.dmp

memory/392-61-0x0000000007180000-0x00000000071C4000-memory.dmp

memory/392-65-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-73-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-95-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-93-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-91-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-89-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-87-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-85-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-83-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-81-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-77-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-75-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-71-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-69-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-67-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-79-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-63-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-62-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/392-968-0x0000000007900000-0x0000000007F18000-memory.dmp

memory/392-969-0x0000000007FA0000-0x00000000080AA000-memory.dmp

memory/392-970-0x00000000080E0000-0x00000000080F2000-memory.dmp

memory/392-971-0x0000000008100000-0x000000000813C000-memory.dmp

memory/392-972-0x0000000008250000-0x000000000829C000-memory.dmp