Malware Analysis Report

2024-12-06 02:43

Sample ID 241110-ayql6swamj
Target eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17
SHA256 eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17

Threat Level: Known bad

The file eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:37

Reported

2024-11-10 00:40

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKS0509.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKS0509.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku241737.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku241737.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe

"C:\Users\Admin\AppData\Local\Temp\eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKS0509.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKS0509.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku241737.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku241737.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKS0509.exe

MD5 dc0d71bf9a02f9a3a3b1fef4e0e05017
SHA1 cdfb2382ad11f7db4e9e54e65e23d9b9648789be
SHA256 4eac5a3e91e1ae821fe627ec1a3b49a2e67a2a939efa6810501ed27de8af3468
SHA512 ac0241e240bd06fe1db993d09a2d454003b467733b79b3cb440e445dcb2da59d66283a37d5d0be9b6853bd096a192ae8e1cbc2c1669ff2e0f02d2e0976e21eb3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe

MD5 a3d71b9db9a228e626df3b5448dbc524
SHA1 dd2ad4854f7c11066100938da37eca086361d2aa
SHA256 ef335f42bc51496098c0e43a8670e7bc724ca58dff29fd839c489f03c7cb038f
SHA512 f3a9eaa3155828b648e6d167d8f4d50a9b2f06e5eb3e5f5499738f299aaa04ed9aa17557fd7334176680ed3dd99b684433c8d0ada10c2fc1dff5e071e9dff1cf

memory/4508-14-0x00007FFCA4F93000-0x00007FFCA4F95000-memory.dmp

memory/4508-15-0x0000000000250000-0x000000000025A000-memory.dmp

memory/4508-16-0x00007FFCA4F93000-0x00007FFCA4F95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku241737.exe

MD5 b4edb1a1dc8641e4633706e116ccd813
SHA1 2c180deda8bfefe89736a218b76f93a6b730c08d
SHA256 ea1115aea50b6cfa335d5d4c5cc7f2cb541782810bfee3193fc06850cc0cd714
SHA512 91113e688cc2814c068fd0dfd956d0240d6d17d61af7bc94e178656d3a97ba2d0e2557b28ebe327e7fcb93c9c59634c8f10d225d2c023c56ae6b28172185b3c2

memory/1184-22-0x0000000002400000-0x0000000002446000-memory.dmp

memory/1184-23-0x0000000004B90000-0x0000000005134000-memory.dmp

memory/1184-24-0x0000000004A90000-0x0000000004AD4000-memory.dmp

memory/1184-38-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-40-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-58-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-54-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-52-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-50-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-48-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-46-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-44-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-42-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-36-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-34-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-32-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-30-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-56-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-28-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-26-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-25-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1184-931-0x0000000005140000-0x0000000005758000-memory.dmp

memory/1184-932-0x0000000005790000-0x000000000589A000-memory.dmp

memory/1184-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/1184-934-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/1184-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp