Malware Analysis Report

2024-11-13 17:38

Sample ID 241110-b2ql1swkgx
Target 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845
SHA256 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845
Tags
healer redline sony discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845

Threat Level: Known bad

The file 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845 was found to be: Known bad.

Malicious Activity Summary

healer redline sony discovery dropper evasion infostealer persistence trojan

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Redline family

Healer

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:38

Reported

2024-11-10 01:41

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe
PID 5060 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe
PID 5060 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe
PID 760 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe
PID 760 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe
PID 760 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe
PID 2432 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe
PID 2432 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe
PID 2432 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe
PID 2684 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe
PID 2684 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe
PID 2684 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe
PID 2684 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe
PID 2684 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe
PID 2432 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe
PID 2432 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe
PID 2432 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe

"C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe

MD5 efb3f7dc161a980e456767d77368a79e
SHA1 9cb493384739fa7374b59b90a07f3a0e035e102a
SHA256 a285e62fef72b6de5eecc96dc727000f5e8d8f9be475e79bf3d3e5ecee2615bc
SHA512 d0da782caa79bd816068bd69aa36163871fd017537c4fcb7ce0ce4bc9420ba400e9c4bf3baa6b570be8c1a735c69076063a2dcf64d1ab990fa53c9eb02f59633

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe

MD5 c731cc53eea4acd32d993915f3ff28cc
SHA1 7fe81dcfcefc02afc7d96e324d54b4a250abf457
SHA256 1f150415d7dcf2c4937fa6fab682f5748ca2640598df038c8da66e44462d2a3e
SHA512 1bf8ce97b75aa81176b6edb270d1714e75662d899a3128fae4e22ce8d58003180a1d79903ff7c2364ee465cb4c0eb42c70ac3ff3885198895e6a5ed7b155d43b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe

MD5 327dc9193b963c200221a720d1bffc1e
SHA1 753cb3f124a24d4e3692c1d3937d000f1fe1a6fa
SHA256 2f8d7eb778622fb4eaac2939258a3d66b727b06f0a844924fa34301525a88883
SHA512 54495b7e3c432e7c7db244b14e8ba9f703bcd9d2a0c5ba6b8c6e537dc14483d5c9338132b4dbbcae791ec1757cc4419750abbbde2d4a41833164010bf84943f6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe

MD5 27754cfee83f58407b0f9370231925df
SHA1 39fef764c432230ae410b34499c87a35183bd13d
SHA256 a04d5f834d98e1fc85d778bee473c067c2d832b9958a183f429a331580582838
SHA512 fd8a4c5f0a9343bc0e296f230a47d83f3d7758c253fef271fd15021ca66cd05d02dd6ac286aecc8d3a470ab02c81464b451db35b96b0553072a307b992a04a39

memory/4448-28-0x00000000005C0000-0x00000000005CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe

MD5 d8145143160f8b068d6fcf7e69d56b1a
SHA1 253ce4c0fc9f01cbb91e27308c1e8bebe57987b3
SHA256 a7bccee8157d7739190295bf131dbe2c9bf87e6bc2e47fb43626b1ad62a7c043
SHA512 207b8bd47f90b48a8e5ddc218952866dc5fba4d422fd43b619a2e3c0d24ed3a9dc1fe25d039d24e5bef3a62d87760a6b13d8efc3a97ac4b6d9d5564d4351700c

memory/1356-34-0x0000000004840000-0x000000000485A000-memory.dmp

memory/1356-35-0x0000000007210000-0x00000000077B4000-memory.dmp

memory/1356-36-0x0000000007810000-0x0000000007828000-memory.dmp

memory/1356-37-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-64-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-62-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-60-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-58-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-56-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-54-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-52-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-50-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-48-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-47-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-44-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-42-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-40-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-38-0x0000000007810000-0x0000000007822000-memory.dmp

memory/1356-65-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/1356-67-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe

MD5 0ba5cbdd0ae133b438180d8f299db198
SHA1 fceb77aa6bc73a7f895cea66d49bdf07f32f5aa8
SHA256 612f5412574413a534d354b6509913c7f37c7a0be0b70b018421b7d4818e189a
SHA512 55632d62bb53d771d8d97e3f91679aba35fe1f7f4d38556de17ac38c80b44065fa6f7a008ad813b1509e6f8d9095a0e7a1c45d80cfa80335c6c7f0c30790b03c

memory/1660-72-0x0000000004C40000-0x0000000004C86000-memory.dmp

memory/1660-73-0x0000000007750000-0x0000000007794000-memory.dmp

memory/1660-83-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-89-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-107-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-105-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-101-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-99-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-97-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-95-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-93-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-91-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-87-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-85-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-81-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-79-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-103-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-77-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-75-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-74-0x0000000007750000-0x000000000778E000-memory.dmp

memory/1660-980-0x00000000077C0000-0x0000000007DD8000-memory.dmp

memory/1660-981-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/1660-982-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/1660-983-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/1660-984-0x0000000008110000-0x000000000815C000-memory.dmp