Malware Analysis Report

2024-11-13 17:35

Sample ID 241110-b3yn1sxanc
Target c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545
SHA256 c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545

Threat Level: Known bad

The file c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer family

Detects Healer an antivirus disabler dropper

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:43

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4412 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe
PID 4412 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe
PID 4412 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe
PID 4424 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe
PID 4424 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe
PID 4424 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe
PID 4424 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe
PID 4424 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe
PID 3572 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe C:\Windows\Temp\1.exe
PID 3572 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe C:\Windows\Temp\1.exe
PID 3572 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe C:\Windows\Temp\1.exe
PID 4412 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe
PID 4412 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe
PID 4412 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe

"C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe

MD5 8777b8a90bfd45422580cd761bee0819
SHA1 dfd3ebb11d7ea9b631422d0fd7608592d9cd07eb
SHA256 0515d8ba2972c3a44e6b785d03e4bdb2c347270c03604d0f7dcd9788de1750f8
SHA512 1d2be0e9277b665c80b4b5f0f3077bd9178b2829376822667c4c6f8c878ca3da4d88e3ea940b9c1c0ecc642a089069015b52c395fa4f57ae0bb45c9564565ddf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe

MD5 3f0a55791ca73bb4b286cb752b7e89a3
SHA1 085f476e3c846a3bf14c67d18a1820d08ae17eaa
SHA256 d28c5efafe7f3533f4ea3f04004f79911ef694142195ea89a72053f81e92c561
SHA512 a4f3975acf6cbf0b5b4bd69ffe4f65ef554db111c4a8686d589da89a674aa915ed4389b64879e892dbb5db61b0f56ed3c92133d9cc0cd23ae067d2ba68d66d87

memory/1260-14-0x00007FFFD67E3000-0x00007FFFD67E5000-memory.dmp

memory/1260-15-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/1260-16-0x00007FFFD67E3000-0x00007FFFD67E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe

MD5 dcdde54f2111075067d4af98d5b753d2
SHA1 4d5d071abc6bcb89f50d081e67fd24369f5c6458
SHA256 9cd1d4c463a5dc6149b269adb26cc2c9a7577c8e7835dcec550af821b35cc259
SHA512 4e1a052d26a234fe2f2277b593c7e851ffa3c2c3e75c80f596863f93dac7c5d7e95f10364b86c966a5ec4380bbf038d899fe0acabeead1b75cc598f7450360f4

memory/3572-22-0x0000000004BB0000-0x0000000004C16000-memory.dmp

memory/3572-23-0x0000000004D60000-0x0000000005304000-memory.dmp

memory/3572-24-0x0000000005310000-0x0000000005376000-memory.dmp

memory/3572-28-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-42-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-88-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-86-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-84-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-82-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-80-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-79-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-74-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-72-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-70-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-68-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-66-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-64-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-62-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-58-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-56-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-54-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-52-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-50-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-48-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-46-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-40-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-38-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-36-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-34-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-32-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-30-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-76-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-60-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-44-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-26-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-25-0x0000000005310000-0x000000000536F000-memory.dmp

memory/3572-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/3792-2118-0x0000000000B90000-0x0000000000BC0000-memory.dmp

memory/3792-2119-0x00000000054B0000-0x00000000054B6000-memory.dmp

memory/3792-2120-0x0000000005B30000-0x0000000006148000-memory.dmp

memory/3792-2121-0x0000000005620000-0x000000000572A000-memory.dmp

memory/3792-2122-0x0000000005510000-0x0000000005522000-memory.dmp

memory/3792-2123-0x0000000005570000-0x00000000055AC000-memory.dmp

memory/3792-2124-0x00000000055C0000-0x000000000560C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe

MD5 c057efa5266deaab6a9a3cfc05518a95
SHA1 fa6b3f0dc81e6f079cfef64ff949e3beafa05b0c
SHA256 a48aa0efd519e429a269f861dd95a7707b32401e1945b630680e07d9eac2cf22
SHA512 cf91b51ba07aa514fc9415e1d451947b0956d6ee78fb8410b78e9a12201850ed2e6c0d1e92eff380740c11f8a3f435c8a1bbcb80a6ef390a8a7970c1e5f73a92

memory/1180-2129-0x00000000000C0000-0x00000000000F0000-memory.dmp

memory/1180-2130-0x0000000004860000-0x0000000004866000-memory.dmp