Malware Analysis Report

2024-12-06 02:43

Sample ID 241110-azbjmsvmav
Target 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed
SHA256 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed

Threat Level: Known bad

The file 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

Healer

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:38

Reported

2024-11-10 00:41

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuC3623xy.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuC3623xy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Yo43Rm45.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Yo43Rm45.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe

"C:\Users\Admin\AppData\Local\Temp\4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuC3623xy.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuC3623xy.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Yo43Rm45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Yo43Rm45.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuC3623xy.exe

MD5 9149d5a0bd1737ba1f6381f4fae4667d
SHA1 7fe21301e9209e1d28e91d99e39ec11067fadc8b
SHA256 4c2dae1c8dcc0b1abf4947699b3ff8e4a5eb1e0204f2899d6cb9940f0a732e57
SHA512 9e32a96699327b76076af15e15b4c9e50c7eb355477de00fa0863eaafa88b794d0f4997950e84f20c9af5014d8737baffac7c1075cd6cf645e5d8548f481d2b8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe

MD5 d92b91121dea7658c75a880b913c6800
SHA1 23b4816c2f4abea3b2e6b7731d523929fe6ddaf5
SHA256 911c52a04a16d446067dfcfe52d33012d6716cf369eb5db3503854a76acfa5cd
SHA512 c41b724241a1796b965d0a1533da486bffb6cdf8ccac54ca2c4a3b7016f9d45c18bc4baf7816e5271869cff71111734ffb970510969b91c328a330ce43ad353f

memory/3096-14-0x0000000000170000-0x000000000017A000-memory.dmp

memory/3096-15-0x00007FFD4AF70000-0x00007FFD4B239000-memory.dmp

memory/3096-17-0x00007FFD4AF70000-0x00007FFD4B239000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Yo43Rm45.exe

MD5 0fb36e6dfd2286b0bb7e48c476a3f73b
SHA1 38801c7ea1faf291cb471397c38630a305518828
SHA256 edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e
SHA512 95c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d

memory/3244-22-0x0000000004C40000-0x0000000004C86000-memory.dmp

memory/3244-23-0x0000000004D10000-0x00000000052B4000-memory.dmp

memory/3244-24-0x0000000004CC0000-0x0000000004D04000-memory.dmp

memory/3244-40-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-44-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-88-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-86-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-84-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-82-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-80-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-78-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-76-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-74-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-70-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-68-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-66-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-64-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-62-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-60-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-58-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-54-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-52-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-50-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-48-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-46-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-42-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-38-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-36-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-34-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-32-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-30-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-72-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-56-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-28-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-26-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-25-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

memory/3244-931-0x0000000005310000-0x0000000005928000-memory.dmp

memory/3244-932-0x00000000059B0000-0x0000000005ABA000-memory.dmp

memory/3244-933-0x0000000005AF0000-0x0000000005B02000-memory.dmp

memory/3244-934-0x0000000005B10000-0x0000000005B4C000-memory.dmp

memory/3244-935-0x0000000005C60000-0x0000000005CAC000-memory.dmp