Malware Analysis Report

2024-11-13 17:37

Sample ID 241110-b16a3szkbp
Target d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466
SHA256 d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466

Threat Level: Known bad

The file d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:37

Reported

2024-11-10 01:40

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe
PID 1112 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe
PID 1112 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe
PID 2512 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe
PID 2512 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe
PID 2512 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe
PID 2512 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe
PID 2512 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe
PID 2320 wrote to memory of 6640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe C:\Windows\Temp\1.exe
PID 2320 wrote to memory of 6640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe C:\Windows\Temp\1.exe
PID 2320 wrote to memory of 6640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe C:\Windows\Temp\1.exe
PID 1112 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe
PID 1112 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe
PID 1112 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe

"C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 2320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe

MD5 faa38678142a9c6ebb9b880126a3ccc2
SHA1 b42b7f24f6b77579ed759c5f0de3c64ef1b4e745
SHA256 f864bf06db4bab702b2388ed7cac5ebda510b1dae9f5e47173e293c78aa4f548
SHA512 1e8c70148de394d5718d477083af5363a7e8987f0c42d3094133628de4cb290ed08ade1f42612f58a2f9c9056290693ffd84db59f5e2ab7befc93e04e1368aef

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe

MD5 45346337d024cda0ef18ef2cb4da67f6
SHA1 c3175487f29b84910512b414e6d0fc2d43328d07
SHA256 59e31739f6e1b95f9ce566b5231c93cabd69c1ce2831e33e1be9532d5e43ee1d
SHA512 d324bc0579966b4775742e9a469cb6728aab5f371b7dcb560a4e34af16e75b8bcb01034d52835063052e8ee2bbf3b3b6c350b5718c1df036e3c8d154d6706dd9

memory/4264-14-0x00007FFF0C6E3000-0x00007FFF0C6E5000-memory.dmp

memory/4264-15-0x00000000007B0000-0x00000000007BA000-memory.dmp

memory/4264-16-0x00007FFF0C6E3000-0x00007FFF0C6E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe

MD5 70d8ecf871ee7c8ede9bf4efaf95df7b
SHA1 48421b6f2b9baeefc07022a62f20479f282e0308
SHA256 714a62b6cccb6e1bfe3e1f9c4e7163bd01f3ee7eef18e612d4cce3826dc68636
SHA512 d1f243b8a401ab6f03aecd1916f89d922411b8566634f89f88931d6d3734c75a815db90b808a3f2298cac5f2ab610c2570cfb094b400c1e7c5791fbc51d61474

memory/2320-22-0x0000000004CD0000-0x0000000004D36000-memory.dmp

memory/2320-23-0x0000000004D80000-0x0000000005324000-memory.dmp

memory/2320-24-0x0000000005330000-0x0000000005396000-memory.dmp

memory/2320-32-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-28-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-26-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-25-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-44-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-88-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-84-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-82-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-78-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-76-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-74-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-72-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-68-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-66-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-64-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-62-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-60-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-58-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-56-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-54-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-50-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-48-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-46-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-42-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-40-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-38-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-36-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-34-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-30-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-86-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-80-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-70-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-52-0x0000000005330000-0x000000000538F000-memory.dmp

memory/2320-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/6640-2118-0x0000000000BE0000-0x0000000000C10000-memory.dmp

memory/6640-2119-0x00000000054C0000-0x00000000054C6000-memory.dmp

memory/6640-2120-0x0000000005BA0000-0x00000000061B8000-memory.dmp

memory/6640-2121-0x0000000005690000-0x000000000579A000-memory.dmp

memory/6640-2122-0x0000000005550000-0x0000000005562000-memory.dmp

memory/6640-2123-0x00000000055C0000-0x00000000055FC000-memory.dmp

memory/6640-2124-0x0000000005610000-0x000000000565C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe

MD5 b2a714faf69503233508cce8cda1e251
SHA1 af306d5ae311826c4b19d26d696a21681238cbf9
SHA256 b5e216028f1cde2ad3dea20dd34fa5678161edbc5029bcb9a52fa217ff073d35
SHA512 25bf24a0b060b650160ee63bfb10dfbfa578694240ef685c63e10aa907604f1b8f388a0bf63fffbd84b55db0fbecfd63fbaa71d458789779a4667f049f6b4c35

memory/4220-2129-0x0000000000AF0000-0x0000000000B20000-memory.dmp

memory/4220-2130-0x0000000002E80000-0x0000000002E86000-memory.dmp