Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-a9zzzswcjk
Target dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN
SHA256 dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2f
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2f

Threat Level: Known bad

The file dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

Healer

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:55

Reported

2024-11-10 00:57

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe
PID 1560 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe
PID 1560 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe
PID 3364 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe
PID 3364 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe
PID 3364 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe
PID 3616 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe
PID 3616 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe
PID 3616 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe
PID 3616 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe
PID 3616 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe
PID 3364 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe
PID 3364 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe
PID 3364 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe

"C:\Users\Admin\AppData\Local\Temp\dc9e0aa566812292dc853b970823c1c8e7f04fd5251804d5d8a5e944c1eafe2fN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6360.exe

MD5 aa4a1d4b879d35a8bc26b3918ac534bd
SHA1 d7d55601d1ab19330cc4ece69e9d05302fc3cf10
SHA256 1d135f4c70079d3a84084a1be45636480927e2cb4b0752001dcec8a4935a5d48
SHA512 337a0649d1cb9bb4096be07f8e2c74823ce470f3a654e44ba87f6c8b9a9fc962be88079b7c07e03a7f65b877cacd812d8e82b1891434d73ec1846fb223b23157

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0184.exe

MD5 f51d8956ac43c6e109e4f5bc02a80126
SHA1 29d51a9f653de27825e17b7a46b0b9ca64ce66f0
SHA256 cdfc85b510ac7a75eaa6c40345060570ebcb4abbf752937b2265f349157ca0f2
SHA512 d79fb0a23e4fbeb64eacc5eae530c3266b52ce3e20d6049199d5d43e793a1174e41c71b194af78195235f41077a57f8405ead3c8525463e9b953955c4939f816

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0601FH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1724-21-0x00007FFC727E3000-0x00007FFC727E5000-memory.dmp

memory/1724-22-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/1724-23-0x00007FFC727E3000-0x00007FFC727E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c55db11.exe

MD5 e4086080e9d4303da9df36cb0d0d1046
SHA1 853c4ffa4f3f199e618ad13a80c59c7a9b188fa1
SHA256 60191ba0f6522e71926deb4a36a0bd0cb68ae056d01ab665fba41ddaa2da3a81
SHA512 048b80e9cb062ab505468fb7025083f10e981a63e0973909f49fe9ea690199234d28928114ee68de9d9ab63fb26b28999a353e069e35897969defe79fccd9859

memory/4708-29-0x0000000004AC0000-0x0000000004ADA000-memory.dmp

memory/4708-30-0x0000000007150000-0x00000000076F4000-memory.dmp

memory/4708-31-0x00000000070B0000-0x00000000070C8000-memory.dmp

memory/4708-59-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-57-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-55-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-53-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-51-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-49-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-47-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-45-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-43-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-41-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-39-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-37-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-35-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-33-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-32-0x00000000070B0000-0x00000000070C2000-memory.dmp

memory/4708-60-0x0000000000400000-0x0000000002B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dftFL70.exe

MD5 00b8c379e1c09ba5a55d31f64f90282e
SHA1 55973e9db3bd0a93e65e74795a52f53f1a6aaa65
SHA256 d202b037f237fb947e37b4533de6dd0a7e39672182f26bc43b45c8629bb47c49
SHA512 bc1130b078a68ddbfb4655128b7950b6d3f68c106fa6142264943ac1f0bdb12193b5f2cdd9a45a1d4ba93b2ffa02f8ab05d35285b37d1c1d51debb4b8cc91190

memory/4708-62-0x0000000000400000-0x0000000002B1B000-memory.dmp

memory/4784-67-0x0000000004C30000-0x0000000004C76000-memory.dmp

memory/4784-68-0x0000000004CC0000-0x0000000004D04000-memory.dmp

memory/4784-76-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-78-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-96-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-82-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-74-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-72-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-70-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-69-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-102-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-100-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-98-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-94-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-92-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-91-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-88-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-86-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-84-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-80-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/4784-975-0x0000000007830000-0x0000000007E48000-memory.dmp

memory/4784-976-0x0000000007E50000-0x0000000007F5A000-memory.dmp

memory/4784-977-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4784-978-0x0000000007F60000-0x0000000007F9C000-memory.dmp

memory/4784-979-0x00000000080B0000-0x00000000080FC000-memory.dmp