Malware Analysis Report

2024-12-06 02:43

Sample ID 241110-ax9zeswaln
Target 1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3
SHA256 1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3

Threat Level: Known bad

The file 1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3 was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:36

Reported

2024-11-10 00:39

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe
PID 1184 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe
PID 1184 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe
PID 4580 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe
PID 4580 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe
PID 4580 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe
PID 2388 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe
PID 2388 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe
PID 2388 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe
PID 2388 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe
PID 2388 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe
PID 4580 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe
PID 4580 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe
PID 4580 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe

"C:\Users\Admin\AppData\Local\Temp\1a512e4c6cebcff3e320ca851156a13c7ca18ee9ee6a0892757c387e0443b7e3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5138.exe

MD5 8fda1d1958ff2c08aefe76612425f45d
SHA1 61ea175e6535e281e071812e133f74ad948dcc8a
SHA256 eb48c186b384d3aba1d267b1d404f5cfa35368ec3703c31ad1e5dbc9546019e5
SHA512 2d3b3ead90e4bebdd1cee8530a86c7d35fc3bebd7ddb54467bddae263f1342493e36a7aac3e22f834eadd405d8eac026be0dc0af06b26598c488b081a122be10

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9847.exe

MD5 d10095c846bd8ecb8a691fb16fd9cc8c
SHA1 526b64ffffdd4ace6f4a3a1d7ac4ad9c723b2986
SHA256 2ea54561e0b4ffa6c6237f652f1a6cabba15a78a7f05e8b7a8e170fe2bbfff62
SHA512 1a458c8196c398f328a606c3b380b26d0b0bcdb32bfec54b3e9d583aba148bb90aed6fc07710bf717105cf381bb65a7b85dc0cf8c96d52a4a2c8f61f82e0bca1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0098.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3684-21-0x00007FFED0A33000-0x00007FFED0A35000-memory.dmp

memory/3684-22-0x00000000007C0000-0x00000000007CA000-memory.dmp

memory/3684-23-0x00007FFED0A33000-0x00007FFED0A35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3147.exe

MD5 b1860d61eda970babae648b463a2e680
SHA1 7fb8659827f58ddc702ced682d45b72a5a8b9e6f
SHA256 53ee29b247751ae664c5a8a1538700aa888a7e712cf4f68ea0ffb0be9ffeffef
SHA512 b050190639a57acf11cd62564f5e32c651aafa082776d5aacf9aab3987e8428415af1d982e5a7d9c8714d80c69c5070c7b41d5b584c6f88c421abe7d1f876a39

memory/4852-29-0x0000000002280000-0x000000000229A000-memory.dmp

memory/4852-30-0x0000000004DE0000-0x0000000005384000-memory.dmp

memory/4852-31-0x00000000027E0000-0x00000000027F8000-memory.dmp

memory/4852-55-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-59-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-57-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-53-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-52-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-49-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-47-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-45-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-43-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-41-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-39-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-37-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-35-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-33-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-32-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4852-60-0x0000000000400000-0x000000000071D000-memory.dmp

memory/4852-62-0x0000000000400000-0x000000000071D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rBB06s91.exe

MD5 a861e476e02115af16c52920cd406461
SHA1 dd2db8228aa78587c0678536d054492a9c026c3e
SHA256 76fdc75e94f6c0bc5fb8509dcf515d66f41e11df3705c72ae4adecfb93294de3
SHA512 88c296eea31d0f3035fafe67602d599b1918fb15a013460a48ea20018a19bcb8a9ee15234a68343fd5b6614829c4dacb69275d741cdc7b1c2c66300ae694382e

memory/4424-67-0x0000000002360000-0x00000000023A6000-memory.dmp

memory/4424-68-0x0000000002800000-0x0000000002844000-memory.dmp

memory/4424-72-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-88-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-100-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-98-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-96-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-94-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-90-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-86-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-84-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-82-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-80-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-78-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-76-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-74-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-102-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-93-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-70-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-69-0x0000000002800000-0x000000000283E000-memory.dmp

memory/4424-975-0x0000000005360000-0x0000000005978000-memory.dmp

memory/4424-976-0x0000000005A00000-0x0000000005B0A000-memory.dmp

memory/4424-977-0x0000000005B40000-0x0000000005B52000-memory.dmp

memory/4424-978-0x0000000005B60000-0x0000000005B9C000-memory.dmp

memory/4424-979-0x0000000005CB0000-0x0000000005CFC000-memory.dmp