Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-a94yyaynaq
Target a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea
SHA256 a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea

Threat Level: Known bad

The file a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:55

Reported

2024-11-10 00:58

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3860 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe
PID 3860 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe
PID 3860 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe
PID 612 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe
PID 612 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe
PID 612 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe
PID 3276 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe
PID 3276 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe
PID 3276 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe
PID 3956 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe
PID 3956 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe
PID 3956 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe
PID 4012 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe
PID 4012 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe
PID 4012 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe
PID 4012 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe
PID 4012 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe
PID 4012 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe

"C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1004

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe

MD5 9a6ad5d68cc1f5628320668f751448d3
SHA1 8980cbd9e792d8008d8790bf1183f31cc2f68059
SHA256 843c3f065c74065f0bd971798c3b51a9094f40c529e4bd804784e9a6e200e78d
SHA512 90d618985e8504d79667d186cbc22d36d9eca6273becb1cc4c064e7cd3e56f67bd6bfebe02479aa91a870fb50693b4abb94d01ce56bcc1d1dbaef56bd0d7b71d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe

MD5 d1365cf32a2a5ffb2d0de5e547a86ac4
SHA1 f2a63f6358d748b82fbaae316461329f87f61a85
SHA256 e63b0fcdc4e0775eda7ee8a65c7159d4c2917f28d06104499aeeb83c94b5a3f6
SHA512 1f314009a66c1386a6ea380458ee3dd38f4f972caf11a4f2e0fff37d1c962cdcaed6b9654467e9cce5fc82de6841bbe8da468fc7eaf2b25ea94309dad5328426

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe

MD5 fee0d78da9d9e0dad30b42dc4e77f28c
SHA1 225327cf30237b56e2cb8416c1740419eece2b1e
SHA256 fa11b78ae720dd778558c4fa04fd227dd36a345f61ef47331ca0216550670c03
SHA512 a1e751858bc33c64f2ca169204e750befb71bd67adb9af0a390ecc0bfaa7a4a66fe4fe3a564921d42851eef0764b4c1f72f8f5807467d19e60f23209c11d6023

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe

MD5 e92c7bbd8a676bb507c8a6c719925511
SHA1 a53f60b355d98c0dcec0c25cb1f89e26c00f4597
SHA256 e4df181cb1b0c15da1d9da17f9d03be6ea7e1a0610a2a467bbc642c1c1b58f21
SHA512 169ce1f2bfda419907e7087884154afa03b004216aed3dba62652485b8292788b001b2bcc2b8881ac007cb478f6d73df7699d0f68d2f7bf4bc500185978d9161

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe

MD5 3f907efe9d933c2f91ca529aa860aefc
SHA1 03e5427078314e367099b258336bfc9d79f00fba
SHA256 922be69be4725617b7b5789ba4a86420f9811575e287f680fab3039e6b908205
SHA512 b874d0fd2162f63ba25b8d13455108ac7de59e1d11b3c2d14f14445efde3dd6e4615ad9d57e4fd98c7a2a265f06a245bb9cb19a7150c67de0ef70ebf22b23d15

memory/4076-36-0x0000000002620000-0x000000000263A000-memory.dmp

memory/4076-37-0x0000000004EF0000-0x0000000005494000-memory.dmp

memory/4076-38-0x00000000027C0000-0x00000000027D8000-memory.dmp

memory/4076-64-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-66-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-62-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-60-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-58-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-56-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-54-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-52-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-50-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-48-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-46-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-44-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-42-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-40-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-39-0x00000000027C0000-0x00000000027D2000-memory.dmp

memory/4076-67-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe

MD5 008a9ccda1ec1e09754c5b607ef8008d
SHA1 32b5ac50d778bd22b4f2bdc4a75195c2fd145308
SHA256 b7856ce74bd7b42844ff63150ab37002b16898734219c37812428d18dbc84442
SHA512 f1fb9d973cb3743fc41eb3a104935ff7690f1860f0e028e0c06b6d0df67e5267a182a22100d75fcd499d73830361124bfe4267b114b82128e6938d3c943837eb

memory/4076-69-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/2940-73-0x0000000000B20000-0x0000000000B50000-memory.dmp

memory/2940-74-0x0000000002D50000-0x0000000002D56000-memory.dmp

memory/2940-75-0x0000000005C50000-0x0000000006268000-memory.dmp

memory/2940-76-0x0000000005740000-0x000000000584A000-memory.dmp

memory/2940-77-0x00000000053C0000-0x00000000053D2000-memory.dmp

memory/2940-78-0x0000000005630000-0x000000000566C000-memory.dmp

memory/2940-79-0x0000000005680000-0x00000000056CC000-memory.dmp