Malware Analysis Report

2024-12-06 02:43

Sample ID 241110-axrsvaykhr
Target e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N
SHA256 e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8

Threat Level: Known bad

The file e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:35

Reported

2024-11-10 00:37

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe
PID 3124 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe
PID 3124 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe
PID 4512 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe
PID 4512 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe
PID 4512 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe
PID 4512 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe
PID 4512 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe
PID 4512 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe

"C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe

MD5 c88970bedcb54132e04aa6b263bc5f07
SHA1 ee086bafb4da08aaa0a1a9ecd20f788ae1294770
SHA256 f71c57cfbcc023873591ec8810ad788e2e77d52c39877fc7f8fba66a4b69cc31
SHA512 3b1225064c7bbdf5ce0c51cc88344930f3bb0456013835dba4ee7afb650396098951a1e41d7c9b70aa4d5077ae31a553c82ae30989cb4d81e30db024b09890da

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe

MD5 5050774ed048776ea4b01878f52a87b3
SHA1 064eb7236d29814c00d33c991d41020dda121a4f
SHA256 bb61722f37cef52af74a7bbdeb3d3e3bff4d3e72bfc11d3fb7a384b978272c31
SHA512 06c0a540afdbb350ec63e0219c976821b4c5607c23b3b667c3eb842e3aff5087eff011714149696e3d1c5a2d403cd0dc7367d8fd72b2dd251ce9171aa85d2656

memory/4376-15-0x0000000002E80000-0x0000000002F80000-memory.dmp

memory/4376-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4376-17-0x0000000002E50000-0x0000000002E6A000-memory.dmp

memory/4376-18-0x0000000007290000-0x0000000007834000-memory.dmp

memory/4376-19-0x0000000007250000-0x0000000007268000-memory.dmp

memory/4376-20-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/4376-48-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-46-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-44-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-42-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-40-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-38-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-36-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-34-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-32-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-30-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-28-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-26-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-24-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-22-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-21-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4376-49-0x0000000002E80000-0x0000000002F80000-memory.dmp

memory/4376-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4376-51-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/4376-54-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/4376-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe

MD5 b85b921104bbbc288cb8cbef7ac2a176
SHA1 5063ba0e00f8ba6f9ded961ca0fcc6d90e018688
SHA256 1c5156f4ebbf29ddc321aa290995d33aeba1df9360a684bf0cc469d6b1a41b42
SHA512 939222141da4fd0ca8b9491c4e612fbd8ce9315df775d55ab55736f715c91ff98217ef355c72486289b94f55a873cbb7eaa598b1f7f91b138240f73666f7bdc8

memory/4440-60-0x0000000004C60000-0x0000000004CA6000-memory.dmp

memory/4440-61-0x0000000007190000-0x00000000071D4000-memory.dmp

memory/4440-81-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-65-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-63-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-62-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-95-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-93-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-91-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-89-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-87-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-85-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-83-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-79-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-77-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-75-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-73-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-71-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-69-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-67-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/4440-968-0x0000000007960000-0x0000000007F78000-memory.dmp

memory/4440-969-0x0000000007FA0000-0x00000000080AA000-memory.dmp

memory/4440-970-0x00000000080E0000-0x00000000080F2000-memory.dmp

memory/4440-971-0x0000000008100000-0x000000000813C000-memory.dmp

memory/4440-972-0x0000000008250000-0x000000000829C000-memory.dmp