Malware Analysis Report

2024-11-13 17:35

Sample ID 241110-b3bjgszkdl
Target 6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24
SHA256 6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24

Threat Level: Known bad

The file 6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24 was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

Healer family

RedLine

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:39

Reported

2024-11-10 01:42

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhDn5267Jh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhDn5267Jh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19wQ27Tc81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19wQ27Tc81.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24.exe

"C:\Users\Admin\AppData\Local\Temp\6ceb455df5665f75565bb10872bd5181314d135c8928df63ad5c9e83769f9c24.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhDn5267Jh.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhDn5267Jh.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19wQ27Tc81.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19wQ27Tc81.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhDn5267Jh.exe

MD5 891318337cf6f7ed59acdf1f322aef84
SHA1 6b14bd74aa79e64f53e0d1c395f39ae72a78040b
SHA256 a5ee1ad0335d9b2a2e4f84fd9a4b50e444b1fcf5be62b58c03bb6f92116f6df8
SHA512 c8c7a1e42b4292deca8d289abcc5fb407bec931490d55bf591796d2dac316ba80be8db579b122c42c3705ab87aa823ddafd87fc49c99305ed0a31642108faa31

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf34SS76NW28.exe

MD5 be35dfbfcdab73f56be31d38d2ae75fc
SHA1 853c25ca3b57f8e7860d419d85e4e6b8b870dd8f
SHA256 cab90b63988d9c56073172501c6a1728b824df9c2a1f612cc3f8403a0ee845f2
SHA512 dbfe76d1ed8f12ac089c9ddd5056dd711d23e19d71454b8c47b151061602a28cfb6b191754f929f16d0b55bc1251eaaf6c625c8f3bcb5f50824e930f1f5bfc2e

memory/3400-14-0x00007FFECE3F3000-0x00007FFECE3F5000-memory.dmp

memory/3400-15-0x0000000000340000-0x000000000034A000-memory.dmp

memory/3400-16-0x00007FFECE3F3000-0x00007FFECE3F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19wQ27Tc81.exe

MD5 cdcef278fd567074f7fd62913f828c7f
SHA1 f8f15924c0670526951bd988acd59ba3b0f95889
SHA256 fdc600b7491c442a1c8538b09303b44c51fe3436671493cbc7ab0ca5bd512243
SHA512 06d63079ba454a6f9d86208369ace8125db61e97d5dce25ca0a2e6c244403ff9ef7bed684c48592248273a5ffa5a79c56c4f2ce941fe2eb04800606072178d2d

memory/1828-22-0x0000000002530000-0x0000000002576000-memory.dmp

memory/1828-23-0x0000000004DD0000-0x0000000005374000-memory.dmp

memory/1828-24-0x0000000002730000-0x0000000002774000-memory.dmp

memory/1828-58-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-80-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-88-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-86-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-84-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-78-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-76-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-75-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-933-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/1828-932-0x0000000004C80000-0x0000000004D8A000-memory.dmp

memory/1828-931-0x0000000005380000-0x0000000005998000-memory.dmp

memory/1828-72-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-70-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-68-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-66-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-64-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-62-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-60-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-56-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-54-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-52-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-50-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-48-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-46-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-44-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-42-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-40-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-36-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-34-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-32-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-30-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-82-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-38-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-28-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-26-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-25-0x0000000002730000-0x000000000276E000-memory.dmp

memory/1828-934-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/1828-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp