Malware Analysis Report

2024-12-06 02:43

Sample ID 241110-ay3lqsylbn
Target 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250
SHA256 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250

Threat Level: Known bad

The file 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:38

Reported

2024-11-10 00:40

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe
PID 4532 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe
PID 4532 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe
PID 4072 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe
PID 4072 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe
PID 4072 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe
PID 2916 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe
PID 2916 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe
PID 2916 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe
PID 1368 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe
PID 1368 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe
PID 1368 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe
PID 2684 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe
PID 2684 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe
PID 2684 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe
PID 2684 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe
PID 2684 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe

"C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe

MD5 e0c35602be7da19803cb89c11e4c6e39
SHA1 aa7566ee524b765bb787a396a949ffcbbadf5b23
SHA256 98b512fca8b1ad10b9d8fa9e1b2499048a7e9130052b9be6574ad5e60219b7df
SHA512 5d2c4b28631670482bbabd627b71569d42efc5bd70c2ee32e75e39b9e8795718b570face65ae36a3dc78b2624a6b257eb8ec0203cafefd454fcbc31ed5d55415

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe

MD5 91a3839a7ac86cc0104916d1e9f6fc24
SHA1 25f621d58d798d4487b847b8e64b91e5235a36a2
SHA256 7271dc29643f1752c641ab335d895ac3c33b478c1cbc330bd101a70d35eb3258
SHA512 106d13a1e7378474a9dbd842f09f193adc90f53f3a42c272d760d624f612d98fbcdbb96420ed2b57412c03b99ac0ca630bf295d54b0066484b1672972dc9ae10

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe

MD5 44aee835bf016de29e3dc03dfbb3ed2c
SHA1 7e6b255d0991ead4926726771fbff85abcb31229
SHA256 fb1811659550bb0ccc6d8cbf027b6bd3bc17db5503cee776ae6c9d1b3436851b
SHA512 ac7ea9d8d531402ba7914e6d18a4cc96013d93aef3d347af0b47ce3d6c6a2990e3fa1ff11af609fadc743b073dac767e0f57ef701f3385f7bdbe5b716a29c446

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe

MD5 1dc7c8e54178cd0538ba61b01087affe
SHA1 10376dcd765f0450fc488de4e14cfd36ec6406af
SHA256 6943ab5b1d4a95bf1de8d82907b49e7a8da793e24765273b6eaf693a62519cf1
SHA512 2f6e85e1b08d25ef45c62d426ea43b84125324c107204de2f7ac4d1696b83f3f4fcc14c0a041eee58b921b13d06472a0544f3d8947a2fe866c2ed880128970f0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe

MD5 cdabe16419916af7392f3c86e413e9eb
SHA1 e70006f38cee3304a5fdb83b4ac23e5b99a1dd79
SHA256 0a3f2e1c58f4948d8d41c202cfd80757f988cef7a2cfe2a88bcc7f0e5ea4d352
SHA512 50d50c1454227de4fdc7b527b62ed5d378fbeccfbdcb1a7d929495ecb0dc87479dd51fcaf6a53c40fc218c3dc8a0d4a543da1a1ea30dcf511ee4c11e161000cb

memory/2028-35-0x0000000000100000-0x000000000010A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe

MD5 47b1a20db297f70b1d9db60ea51d14d9
SHA1 b55664710122138d23e0e295dcade2b9aea41120
SHA256 80aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287
SHA512 e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288

memory/468-41-0x0000000004C00000-0x0000000004C46000-memory.dmp

memory/468-42-0x00000000072E0000-0x0000000007884000-memory.dmp

memory/468-43-0x0000000007200000-0x0000000007244000-memory.dmp

memory/468-53-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-59-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-105-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-103-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-101-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-99-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-97-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-95-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-93-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-91-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-87-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-85-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-83-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-81-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-79-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-77-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-75-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-71-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-69-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-67-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-65-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-63-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-61-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-57-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-55-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-51-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-49-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-107-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-89-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-73-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-47-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-45-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-44-0x0000000007200000-0x000000000723E000-memory.dmp

memory/468-950-0x0000000007890000-0x0000000007EA8000-memory.dmp

memory/468-951-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

memory/468-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/468-953-0x0000000008000000-0x000000000803C000-memory.dmp

memory/468-954-0x0000000008150000-0x000000000819C000-memory.dmp