Malware Analysis Report

2024-12-06 02:43

Sample ID 241110-ay45kaylbp
Target 59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d
SHA256 59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d
Tags
healer redline sony discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d

Threat Level: Known bad

The file 59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d was found to be: Known bad.

Malicious Activity Summary

healer redline sony discovery dropper evasion infostealer persistence trojan

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:38

Reported

2024-11-10 00:40

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe
PID 1144 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe
PID 1144 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe
PID 3828 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe
PID 3828 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe
PID 3828 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe
PID 3828 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe
PID 3828 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe
PID 3828 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe

"C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3360 -ip 3360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1020

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe

MD5 f4d5ed4dd5dec4d282cf0c038e6d145b
SHA1 8d78e0378ee3fd485cfde1829cb52f28f942b302
SHA256 a2ff79f31deafd7da7e9fd99abc0c837f1938c71da15a4cd4213104aa81906d3
SHA512 70ccc1b31087e5b7ef75c8dd3f2001c88e9c3fe1bdcbc20d8fb88bd9e5192fd40cda07c0e9d34e0246602b9f7dbe0eeccbd9f41d6a577276430c284d5c2bb264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe

MD5 57cd27197396bb1efaefd85c129de708
SHA1 46493512f479e688d7b75249f308aea290ef5975
SHA256 7d7b13e6cc503a379ab9874d67f791f57dea7a108431b71d04db8efe3abd6b76
SHA512 9b26675486d69945efdfbbdbce3f158117ce35a496c9f68537e99765f79b002e530b9a769f22a7282661a4085b50089d2458256d9728f9cc58505f8276ffcaa6

memory/3360-15-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/3360-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3360-16-0x0000000000850000-0x000000000087D000-memory.dmp

memory/3360-18-0x0000000000400000-0x0000000000710000-memory.dmp

memory/3360-19-0x0000000002570000-0x000000000258A000-memory.dmp

memory/3360-20-0x0000000004D40000-0x00000000052E4000-memory.dmp

memory/3360-21-0x0000000004C90000-0x0000000004CA8000-memory.dmp

memory/3360-22-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-49-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-45-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-41-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-39-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-37-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-35-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-33-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-31-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-27-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-25-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-23-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-29-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/3360-50-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/3360-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3360-55-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3360-54-0x0000000000400000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe

MD5 64a066aeb20f1bcfe39b5661230e40d8
SHA1 9b6355f403800020ffe98d8391d554e64b20f793
SHA256 f7df0fadafc631d9201fdfb1ddd373a05e1eea8429ba99eb5ae285a2fee40936
SHA512 5eb1d9996f19a4515ce94dd5fa9f686eb21487f3d84a4d84951555ec923f63ea7cc48228b5b7e7ffa9c30885a8001686c87650a9884b003d44b58407729b9062

memory/1336-60-0x0000000004C70000-0x0000000004CB6000-memory.dmp

memory/1336-61-0x0000000004CF0000-0x0000000004D34000-memory.dmp

memory/1336-73-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-77-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-75-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-71-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-69-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-67-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-89-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-65-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-63-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-62-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-95-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-93-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-91-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-87-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-85-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-83-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-81-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-79-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/1336-968-0x0000000005390000-0x00000000059A8000-memory.dmp

memory/1336-969-0x00000000059E0000-0x0000000005AEA000-memory.dmp

memory/1336-970-0x0000000005B20000-0x0000000005B32000-memory.dmp

memory/1336-971-0x0000000005B40000-0x0000000005B7C000-memory.dmp

memory/1336-972-0x0000000005CD0000-0x0000000005D1C000-memory.dmp