Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-a91xaawcjm
Target cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08
SHA256 cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08
Tags
healer redline ruzhpe discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08

Threat Level: Known bad

The file cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08 was found to be: Known bad.

Malicious Activity Summary

healer redline ruzhpe discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

RedLine payload

Healer family

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:55

Reported

2024-11-10 00:58

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe
PID 4604 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe
PID 4604 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe
PID 1432 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe
PID 1432 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe
PID 1432 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe
PID 1432 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe
PID 1432 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe
PID 1432 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe

"C:\Users\Admin\AppData\Local\Temp\cc935bcd7285b142698bd911ad11cc77188fd32f91c3cf8a5d325b6b715f5d08.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1016

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycUW34Km17.exe

MD5 014861569dff62ba1936e187418444c7
SHA1 351ea3b2e588a686d9f5534873bd0eb2872b3037
SHA256 de2f2b0a930fccf9c58cfa49d9cd5de496fb97b556634964ca0efd21ac91e4a5
SHA512 99313f5d5f54d08b9d2613ec3b2204722acb24ab59a7353f16b8cac20e8e78323926f012787d76d9be3c80038b4ee6a9055cc0a4707190ee50cdb84f28e90041

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urka65Pf25.exe

MD5 e86d6512a605f1fcd0435b9d980a7473
SHA1 3c256c47fc1b8d43a2e64ed7463e47301178380d
SHA256 4d3feae0f76c5b673ad0b420fb396e931e93d9bf08629742e2f1a47716ad4ad3
SHA512 be1b75490e6a8534eaed0ecb8516ad73e95542787d7123ca205ac52a82637abafe7c44479e2d994e10a221c0b7fe193f3c881d660485a0f415246aa70e7b7d78

memory/4784-15-0x0000000000740000-0x0000000000840000-memory.dmp

memory/4784-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4784-17-0x0000000000400000-0x0000000000582000-memory.dmp

memory/4784-18-0x0000000000400000-0x0000000000582000-memory.dmp

memory/4784-19-0x0000000002430000-0x000000000244A000-memory.dmp

memory/4784-20-0x0000000004BF0000-0x0000000005194000-memory.dmp

memory/4784-21-0x00000000025E0000-0x00000000025F8000-memory.dmp

memory/4784-31-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-49-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-48-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-46-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-43-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-41-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-39-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-37-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-35-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-33-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-29-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-25-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-23-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-22-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-27-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/4784-50-0x0000000000740000-0x0000000000840000-memory.dmp

memory/4784-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4784-54-0x0000000000400000-0x0000000000582000-memory.dmp

memory/4784-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrCn07Lz29.exe

MD5 c399447de03079c2f5c1482ddeb1706b
SHA1 dbeaa79a4b8e1190fc5c054b408948631dac089c
SHA256 afce08c2456f2f7a0ca5d02fca432a29b387b7f1d6fb1d58c6fc6da96749f7d7
SHA512 3f7001cfb7e54a471786f96c6788858718b867cdcd9c2caabd19018f74228461bcfa45211c11e5a541fdb4fd6c4ff0c330e6b6c8734304d670fc393072480b3c

memory/4576-60-0x0000000002480000-0x00000000024C6000-memory.dmp

memory/4576-61-0x0000000004B70000-0x0000000004BB4000-memory.dmp

memory/4576-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-62-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-67-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-89-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-95-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-94-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-91-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-84-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-80-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-76-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/4576-968-0x0000000005270000-0x0000000005888000-memory.dmp

memory/4576-969-0x0000000005890000-0x000000000599A000-memory.dmp

memory/4576-970-0x00000000059B0000-0x00000000059C2000-memory.dmp

memory/4576-971-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

memory/4576-972-0x0000000005B20000-0x0000000005B6C000-memory.dmp