Malware Analysis Report

2024-12-06 02:43

Sample ID 241110-axyw6avlfz
Target 96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d
SHA256 96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d

Threat Level: Known bad

The file 96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Healer family

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:36

Reported

2024-11-10 00:38

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe
PID 220 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe
PID 220 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe
PID 1032 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe
PID 1032 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe
PID 1032 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe
PID 3376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe
PID 3376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe
PID 3376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe
PID 3376 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe
PID 3376 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe
PID 3376 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe

"C:\Users\Admin\AppData\Local\Temp\96ab490a6915c568999669ee3eacd0568c2e8152a56f9fb3e0305104ad8f553d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un772821.exe

MD5 a41c37c56bd282da8d108a85552cfd11
SHA1 3d1d5a838fecfd9ec7b0af37c07f783bb5debf9c
SHA256 518900486ca5e9a3eb2b68b3df559dd3dfec5f73a2394e1cc84b0377a5938504
SHA512 9967a4682d7ce1b2419eb2d3ec6d5cdbc1c098660ba0255af2ca27cd35d0cf789bb58335d4e7b93415a29e5506a383b002bba2e963887201121a6e9d362ca4d0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029751.exe

MD5 f3cf892202f58c8b177f6b0a5b45848b
SHA1 cea90c4ad8b1ea9268eefd7630e2900328816839
SHA256 2fd29187fa80aa3f3b2e52f867630d3bfb2bd7a47b6de783cfbddaf1b23bd6b1
SHA512 0999438379365b6d1173f7c96d96128a676edd39081731b6f8e7a17f483e756718bec62cf24770bfbd74b18a9244fca6f3aed5f30cf021234d7e9f51f2bdcda3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr340612.exe

MD5 482f9a5a5c6f9f2b76371fcf44c11c54
SHA1 6e8fb9cebb884ab6aed31a87ca1dca29259e7e38
SHA256 10ec01cc9bd044da76c5ede924f9ec4f03f3f02a78de5d2875604ec1e0d2d68f
SHA512 89cef9525b27bba8c7e410d4fff7ef3222600a366bf926065c8abf230657546191b86b6372df4bf6f449d88e7156e81dc3c24ab05962cff65ccf989a96e91519

memory/3028-22-0x00000000047F0000-0x000000000480A000-memory.dmp

memory/3028-23-0x0000000007290000-0x0000000007834000-memory.dmp

memory/3028-24-0x0000000004A00000-0x0000000004A18000-memory.dmp

memory/3028-26-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-52-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-50-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-48-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-46-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-44-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-42-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-40-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-38-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-36-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-34-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-32-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-30-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-28-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-25-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3028-53-0x0000000000400000-0x0000000002B9F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu441119.exe

MD5 64a477ec3cc2039defeb2076dc4bb159
SHA1 30edce6b5b48786c56d298674bf21d346b4201d2
SHA256 e5eef83041278dbf3fcfed0e45ce4bcff815519dc95201b69084893214e4969d
SHA512 f51561f8b3fd05f1ec206a6ba55730fefbc0c01654ba2598e03815ac924ae7de2b556e0d6e34bec821ec4ad802b5584b074b1a2dbdb46c720b8ac260f468aa26

memory/3028-55-0x0000000000400000-0x0000000002B9F000-memory.dmp

memory/4988-60-0x0000000004BA0000-0x0000000004BDC000-memory.dmp

memory/4988-61-0x00000000071E0000-0x000000000721A000-memory.dmp

memory/4988-67-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-75-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-73-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-71-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-69-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-87-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-65-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-63-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-62-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-79-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-95-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-93-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-91-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-89-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-85-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-83-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-82-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-77-0x00000000071E0000-0x0000000007215000-memory.dmp

memory/4988-854-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

memory/4988-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/4988-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/4988-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/4988-858-0x00000000049C0000-0x0000000004A0C000-memory.dmp