Malware Analysis Report

2024-11-13 17:38

Sample ID 241110-b2b4mawke1
Target 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5
SHA256 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5
Tags
healer redline mihan discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5

Threat Level: Known bad

The file 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5 was found to be: Known bad.

Malicious Activity Summary

healer redline mihan discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:37

Reported

2024-11-10 01:40

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe
PID 4236 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe
PID 4236 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe
PID 3716 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe
PID 3716 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe
PID 3716 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe
PID 3716 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe
PID 3716 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe
PID 3716 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe

"C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe

MD5 3ea9e092549bc55c729a39b7a88d97e0
SHA1 daee7689438bbdbe5404d979f6fae2fecce41959
SHA256 c99f5a2e621361ff3b67e9ba29e7706fca1f9d3d29569bd0e4a699273bf17efd
SHA512 c682d37336196e71b730865e4225bcef218edb32aaca4e50add2aa8f13095991da5ff7a06806241cea41c170b5877d0d4daa12383ac5b571fbbb2b6da3981e20

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe

MD5 deb2c3a482574cedcc41b776d2b957b6
SHA1 f4f0b36a3672b04653bf2c8ada2a5f8a3e00daca
SHA256 e9b7baf529e1edb5b690e620b79fe24656b9cb6a8a0f9e20d01d474670747dd4
SHA512 e5219bc64bb2c51d1dc3f05224329579c92bdecb5057c8ab7afcb5d4974d9012d8e83e9e8d5ba6729b16f497e81248b6423adb0c0867a0f26379503872976d05

memory/2728-14-0x00000000748FE000-0x00000000748FF000-memory.dmp

memory/2728-15-0x00000000023F0000-0x000000000240A000-memory.dmp

memory/2728-17-0x0000000004B30000-0x00000000050D4000-memory.dmp

memory/2728-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/2728-16-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/2728-19-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/2728-20-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/2728-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-48-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/2728-49-0x00000000748FE000-0x00000000748FF000-memory.dmp

memory/2728-50-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/2728-52-0x00000000748F0000-0x00000000750A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe

MD5 ef8e3cf6fabb7197c369733f7f221721
SHA1 09d143935b7b87f49245ce8cb64c1c6de6aaf2a7
SHA256 f9fc79626e70d247c7569b6021dbd49aca810118f36180ce81672a8bfa37d567
SHA512 3617314081872b45aa1181cfb6fd411d67a7389138a1df385df8327d46b2a5076d84f5e75f087f3a2d33c5c0692648ae92f19b035bfb01079f972f679186da2b

memory/2036-56-0x0000000000B70000-0x0000000000BA0000-memory.dmp

memory/2036-57-0x0000000002E80000-0x0000000002E86000-memory.dmp

memory/2036-58-0x0000000005B80000-0x0000000006198000-memory.dmp

memory/2036-59-0x0000000005670000-0x000000000577A000-memory.dmp

memory/2036-60-0x00000000053E0000-0x00000000053F2000-memory.dmp

memory/2036-61-0x0000000005560000-0x000000000559C000-memory.dmp

memory/2036-62-0x00000000055A0000-0x00000000055EC000-memory.dmp