Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b3hmsswgpp
Target c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9
SHA256 c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9

Threat Level: Known bad

The file c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

Healer

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe
PID 2240 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe
PID 2240 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe
PID 3468 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe
PID 3468 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe
PID 3468 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe
PID 2412 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe
PID 2412 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe
PID 2412 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe
PID 2412 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe
PID 2412 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe
PID 2412 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe

"C:\Users\Admin\AppData\Local\Temp\c2394eef039ba2aeb35cab21a2dec2d0d8ba24638db5f3e589b321252e96b0c9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 312 -ip 312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298209.exe

MD5 0c2a50e006c965503bd250157a7c911b
SHA1 4f0fd0d90f7a33ff2e91cafed6f489b2cce4c1e6
SHA256 5bc52f8e0fbe341502f3ac01d5390b7392ae3bcba3bea894c7096be6e37a24a1
SHA512 2d79917a35cc13d36954ef1d68697c106180adcfbb31c1069e78f9afda320503ff4ad6e7489c449c11c45399dad6e172699b58b0b794e016d5d396e6cae16a1b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un359390.exe

MD5 4d33ae5036db3f0ea68b61084aa7622c
SHA1 e8f36791175476c867a1bfa006ce47034ac12428
SHA256 00a71992e3b994561b380ddd8ccc2a78486ddfb68dd31b5235c397db22c43e2c
SHA512 50fddd91c97f1fd9bc01dfbfd7188c089ee415f9e41e76bacd2185ed36dfb32f45fff9680cf87c1bbb672eaca6bb96309a3d1e69b7f3f4ec23661d501568bdd0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr700414.exe

MD5 b2ae68cb129f8c6fb4baec6bfa058dc8
SHA1 b188655665f1941600ce3d8854131860ba6f9fec
SHA256 d7a4a1678067140e743d59ea4c8b877ad33235d1003f71d919d5572140cb057b
SHA512 43d46afdaed48d6e01b93e947532b9cabb77b56f69530f0a730c8bcbdb06eac93fef4218213fe92014a3e1e6f65df5e42603558da70a8a45d01f5b105e1d1256

memory/312-22-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/312-23-0x0000000007260000-0x0000000007804000-memory.dmp

memory/312-24-0x0000000007140000-0x0000000007158000-memory.dmp

memory/312-48-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-52-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-50-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-46-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-44-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-42-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-40-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-38-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-36-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-34-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-30-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-28-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-26-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-32-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-25-0x0000000007140000-0x0000000007152000-memory.dmp

memory/312-53-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu073440.exe

MD5 e54895536d3c1703e86471d28c25afbe
SHA1 8919d1253eab3c2c6e78a5f196d09d25aa87b727
SHA256 9c88df00a1f4535a8195cb0dd905953742744564e0a67e8774691229911c9722
SHA512 e974b800b5c87a806d23dd1858cb0d68f2a3e2127b3eaa2abd887ab9d6da7e96eadaa4e88e42ab676c1cbca3c847fbdfd6d63f039f008b0d8efd7781970c5cb3

memory/312-55-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/968-60-0x0000000004920000-0x000000000495C000-memory.dmp

memory/968-61-0x0000000004D70000-0x0000000004DAA000-memory.dmp

memory/968-85-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-83-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-95-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-93-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-91-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-89-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-87-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-81-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-79-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-78-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-75-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-73-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-71-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-69-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-67-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-65-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-63-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-62-0x0000000004D70000-0x0000000004DA5000-memory.dmp

memory/968-854-0x0000000009D40000-0x000000000A358000-memory.dmp

memory/968-855-0x000000000A360000-0x000000000A372000-memory.dmp

memory/968-856-0x000000000A380000-0x000000000A48A000-memory.dmp

memory/968-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

memory/968-858-0x0000000004A90000-0x0000000004ADC000-memory.dmp