Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b3p2wawgqj
Target 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b
SHA256 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b
Tags
healer redline ramon discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b

Threat Level: Known bad

The file 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b was found to be: Known bad.

Malicious Activity Summary

healer redline ramon discovery dropper evasion infostealer persistence trojan

Redline family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

RedLine

RedLine payload

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
PID 2160 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
PID 2160 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
PID 2136 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
PID 2136 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
PID 2136 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
PID 4008 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
PID 4008 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
PID 4008 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
PID 468 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe
PID 468 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe
PID 468 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe
PID 468 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe
PID 468 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe

"C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe

MD5 0cc645bfebbee83ae73f2ac67a44e234
SHA1 4458ddc13d90bc8399e5cc547e14a2845a9dcaf5
SHA256 7420260bf221aa05d429e7f4bd9ce6b0b4070baa410944869dbb17d3b6f8e10f
SHA512 d8b32d5550f147b703dc86600de7c2bc6cec826d37a7dce71770dcc03b38622988710eb613fc08fd246d2d81517c239d9c1d78b09a091f8782d187fa9251e557

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe

MD5 3eb3cccf02026e0dd174dac928d3a81d
SHA1 7a7048c147a524452ea36c86286b77e3564cfd32
SHA256 454ede7721a8519b453335674e0f18bbcd9b7c2202cc0391d8880aca37af3752
SHA512 9a016e66b13bfe5d13d177b26b49dfa1ca6322551b9aa78c5d7da442b3c55911dace26237226ab4e9704062471066491306dfeb8d0ed20d4b01bf36e2c554a6c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe

MD5 8312e11efc3b3e96080fd917e04a70a7
SHA1 0e7d59876755c8891cbf706748d0abde231b97fa
SHA256 1c9b912ec71b43c46f45cd154e27b8cb3edd93f44a49a1b9f02d594bad6d2da2
SHA512 ae62ced526d11d0c6f2c93962834a7ddd92a9b8b2b045bee17213515a7edc614880940943b66854ae0ed989ba3ab03ea33543bdea00bdc4d62c57203797ad4e8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe

MD5 4759c87cb8aae3b368ce489ed3888406
SHA1 428b9a715af61d129a9a86145884f344a557f1aa
SHA256 48ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62
SHA512 e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04

memory/2320-28-0x00000000000F0000-0x00000000000FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

MD5 43808d4cb75be409d7906b2dd00a55cb
SHA1 7c05ec44a25709bbf577a9a2b64305148267a461
SHA256 6376d0c48599313b92671dd50ea2d30842c10ac8e3a7943d4f4e6d017fb5a4c7
SHA512 44f4232365eb392b55cd0bbdcdd1f4dc4c9f5f2a9b2f698258b26a5f25dfdbaf422498c0f21a8dc7a2fb2a81611e8c9b192c2c2db2486f8240f28809ae3f9609

memory/4704-34-0x00000000009C0000-0x0000000000A06000-memory.dmp

memory/4704-35-0x0000000004BB0000-0x0000000005154000-memory.dmp

memory/4704-36-0x0000000005160000-0x00000000051A4000-memory.dmp

memory/4704-90-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-74-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-50-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-38-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-37-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-100-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-98-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-96-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-94-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-92-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-88-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-86-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-84-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-82-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-80-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-78-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-76-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-72-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-70-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-68-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-943-0x00000000051D0000-0x00000000057E8000-memory.dmp

memory/4704-945-0x00000000059B0000-0x00000000059C2000-memory.dmp

memory/4704-944-0x0000000005870000-0x000000000597A000-memory.dmp

memory/4704-67-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-64-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-62-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-60-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-58-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-56-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-54-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-52-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-48-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-46-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-44-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-42-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-40-0x0000000005160000-0x000000000519E000-memory.dmp

memory/4704-946-0x00000000059D0000-0x0000000005A0C000-memory.dmp

memory/4704-947-0x0000000005B20000-0x0000000005B6C000-memory.dmp