Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-a9n8gsymhq
Target 574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0
SHA256 574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0

Threat Level: Known bad

The file 574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

RedLine

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:54

Reported

2024-11-10 00:57

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe
PID 468 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe
PID 468 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe
PID 3716 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe
PID 3716 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe
PID 3716 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe
PID 3716 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe
PID 3716 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe
PID 3716 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe

Processes

C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe

"C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe

MD5 e8c0157300b3705d2c72104de670655c
SHA1 aa6129cf0823ce61f03e326e3b9b1b78c3aa5a5f
SHA256 2d76fa6e21b6648c25fd6bad3f651688289c826caac1df16658f8557deccd3eb
SHA512 0514cbd5e86fa396707f7bf49c39e721e5b64ec07f2aa2c1d79a665a22ab2d1745be03c365cd9f84e5d78fcc785c7c0a721897b8e9874fb116a7b1041f968011

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe

MD5 bc64a40a5f6d6293540b10f2d3a93bce
SHA1 dcd1552d439786ae445cec36af5f438ea7f52ab8
SHA256 588c29046d905c33e9491deeda2ec2664953ee56ff851e8d08f389e125e637f0
SHA512 51f2b046619235f9dd961dd5e8e4f07aac04a0fca75770dc331370efa291ab9551cc0073302b4481f549571f6a8283f57b4dce7f2060963d8b8a6463676abd85

memory/3672-15-0x0000000000840000-0x0000000000940000-memory.dmp

memory/3672-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3672-17-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3672-18-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3672-19-0x0000000002280000-0x000000000229A000-memory.dmp

memory/3672-20-0x0000000004E50000-0x00000000053F4000-memory.dmp

memory/3672-21-0x0000000002470000-0x0000000002488000-memory.dmp

memory/3672-33-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-47-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-49-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-45-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-43-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-41-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-39-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-37-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-35-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-31-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-30-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-27-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-25-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-23-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-22-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3672-50-0x0000000000840000-0x0000000000940000-memory.dmp

memory/3672-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3672-54-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3672-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe

MD5 84060c0509dc244e0ac7c957864d9824
SHA1 94cea3d6cdb604a825704b3f6de3dd45c2488c14
SHA256 a4527dd3ef55bf8235f24a68419531cd81b3b525bd7eda98513e29af562798af
SHA512 5990e70506005e0e8a0303ca82f7f92b030bedc61f967bb31d5c6a7d67705ac14ac2662e06b2d0f11766e311dcd715d0c65e3b10bbea7f4d9a70083625c315cc

memory/4604-60-0x0000000004A20000-0x0000000004A66000-memory.dmp

memory/4604-61-0x0000000004AA0000-0x0000000004AE4000-memory.dmp

memory/4604-81-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-79-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-93-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-92-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-89-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-87-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-85-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-83-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-77-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-75-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-73-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-71-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-95-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-69-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-67-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-65-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-63-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-62-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/4604-968-0x0000000005100000-0x0000000005718000-memory.dmp

memory/4604-969-0x0000000005790000-0x000000000589A000-memory.dmp

memory/4604-970-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/4604-971-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/4604-972-0x0000000005A40000-0x0000000005A8C000-memory.dmp