Malware Analysis Report

2024-11-13 17:37

Sample ID 241110-b2jtgawkgt
Target d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N
SHA256 d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41

Threat Level: Known bad

The file d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Redline family

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:38

Reported

2024-11-10 01:40

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe
PID 3096 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe
PID 3096 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe
PID 648 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe
PID 648 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe
PID 648 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe
PID 648 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe
PID 648 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe
PID 648 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe

"C:\Users\Admin\AppData\Local\Temp\d2f0caa8a2ddb7cdaa5cb9e6f8f666f14338fe31e5a5db72341c1dabbe7d6b41N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un538502.exe

MD5 4f5d632cfab2a72c85d88ebe02f39695
SHA1 1c1166d5aae6e66d24368641184b4cb9c2890ca5
SHA256 ae9ca050318d15c3dbf75094e5d8e2970c4b05b0cfba90326c64cc112a539954
SHA512 da811bb66c298847b64346331610651f7e90aec249210413ebe3ea76f24cc0c854cd996317828a60d6758e9ff54d42c57aa592709b7d05785f148dba2592d1db

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8544.exe

MD5 7d6b19eb5948aea817324ffc51352588
SHA1 1eb56b65a1e9b9cf62557f0ee2f61a61cd6f53ab
SHA256 04863b6cc5db9998454a31581c9113df55cf25d43bf2693d888ec930ad371983
SHA512 3f90cb5bff3ee83db519db98ea319b7ec366fa99804d18f2228b67ffc343dd06ad3f0f572ef6a9aefffcb34e482ec1f95083c8056dc721df3a382d3edbbbb94b

memory/3032-15-0x0000000000740000-0x0000000000840000-memory.dmp

memory/3032-16-0x0000000000940000-0x000000000096D000-memory.dmp

memory/3032-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-18-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3032-19-0x0000000002440000-0x000000000245A000-memory.dmp

memory/3032-20-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/3032-21-0x00000000025F0000-0x0000000002608000-memory.dmp

memory/3032-39-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-49-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-47-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-45-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-43-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-41-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-35-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-33-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-31-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-29-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-25-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-23-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-22-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-37-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-27-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3032-50-0x0000000000740000-0x0000000000840000-memory.dmp

memory/3032-51-0x0000000000940000-0x000000000096D000-memory.dmp

memory/3032-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-55-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3032-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1840.exe

MD5 9ed22546a429a6869a5b0d308ae1f393
SHA1 d25c89cc655887eee67a4294d55ad99fab24c8d9
SHA256 ac6a8fcbfc50ef4795913385e566cc3241a066a622b3171659d2fc4ec8b968e6
SHA512 48f59e2025e7eb700492867e053eb3194f07968545c51db170840ed34d364b4d686eeaf5ef7d3be6d4f089c8f60f777634e9f15fcf77cbdf8aeb5c1aaf3e32bf

memory/3104-61-0x00000000024B0000-0x00000000024F6000-memory.dmp

memory/3104-62-0x0000000004AC0000-0x0000000004B04000-memory.dmp

memory/3104-66-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-80-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-96-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-95-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-93-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-90-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-88-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-86-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-84-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-82-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-78-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-76-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-74-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-72-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-70-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-68-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-64-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-63-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/3104-969-0x0000000005110000-0x0000000005728000-memory.dmp

memory/3104-970-0x0000000005790000-0x000000000589A000-memory.dmp

memory/3104-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/3104-972-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/3104-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp