Malware Analysis Report

2024-11-13 18:05

Sample ID 241110-b4w7kszkfl
Target 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93
SHA256 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93
Tags
healer redline maza discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93

Threat Level: Known bad

The file 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93 was found to be: Known bad.

Malicious Activity Summary

healer redline maza discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Healer

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:42

Reported

2024-11-10 01:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
PID 2756 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
PID 2756 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
PID 2756 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
PID 5112 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
PID 5112 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
PID 5112 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
PID 4060 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
PID 4060 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
PID 4060 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
PID 3492 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
PID 3492 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
PID 3492 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
PID 3492 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe
PID 3492 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe
PID 3492 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe

"C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe

MD5 3c98863833f7aff1acd4bff0efb307f1
SHA1 656a7cb936d6259d34a213726cdf8b5b523bfe97
SHA256 341acf51528ad025d37942ca95d59951251a1a0be2481bc67c77890900489e48
SHA512 872ad99d20d10c184f1e1349e573541cb4eb9d8dc4ed06130b068e989806a232be5c64a58acda968ba000bce45b1f6bd5c8de747df95719cf2aa5a5978fdece7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe

MD5 b402b9b957eedae731e6788176d04a6c
SHA1 0d73034cd207695202a31b04ec78a44bac91a564
SHA256 a72d9c94332ccb234e04b2709f59c59dcbb5c1010d5fc735318a86ebe2144b3e
SHA512 fd65a56c29021dcb67752d4c797b593c94b228d99879738544772a78d24f9ded0480a5ee8271e93fd08ac804c5700f5aa1afb6e4b4c43f6cde07cc4835fb9cae

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe

MD5 72723222ddbf76f6e4bb67b780697991
SHA1 223647d8a4af3e509ed6f0868daf728c952abbf8
SHA256 f296f95567a42a829b71590870e72de0ce023f4f7b9d7c76a1470345072c3d73
SHA512 0694ce1467b1f1f6c974a2d0541096752a62202fe63e30e8799fd048244ec2da24ee8cf1e9ddfb794846b3316a25ddf64cb5b2ed8a4ed8cd435287f75e8647d2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe

MD5 4ceaababa053a38b19ad1df4dd401db0
SHA1 e4e119fa4cb9d5debd5bb7cc3c00d9daf5bc0897
SHA256 855751103c09f7a38813db03fa1ede42a70b864994072f48e07e423ff87263b7
SHA512 8b0f0b433fa010feb4ac5b3a8c625801b1055ff9cd8e1c3c3557d71696a2c1178ef8831711548e34d0ca316b4fd5e7a5e6a55871235410ad24bcce349795b60a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe

MD5 b497921f7dcb828b7b38daa1eaf7158d
SHA1 cce97fdc1d8a77a52ef5cb29597eb83863c2f4a6
SHA256 30c09deb736f1c9accdad3875587ab5654850929f90839f84aa47480968f6ecb
SHA512 75c6a8fc7f04c161eab6779520a0bfc9fcd789bcc78e6a9d3f6bc991407793bab00964864bfaaa5f31007d0a13fe0dd011339122c7694914cf9b1da5dfdf05a1

memory/1428-36-0x0000000002850000-0x000000000286A000-memory.dmp

memory/1428-37-0x00000000052E0000-0x0000000005884000-memory.dmp

memory/1428-38-0x0000000002CD0000-0x0000000002CE8000-memory.dmp

memory/1428-39-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-66-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-65-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-62-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-60-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-58-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-56-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-55-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-53-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-50-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-48-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-46-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-44-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-42-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-40-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1428-67-0x0000000000400000-0x0000000000A67000-memory.dmp

memory/1428-69-0x0000000000400000-0x0000000000A67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe

MD5 c53ccc3e6ee89031dcb6760cdd081ad4
SHA1 c8ea70aa2d2043a2077e4cbaa593581c8b39e9aa
SHA256 886adce7dcfc2e7fca15ac78afa9947db515cf7c36c7e997fdefb9d5fb5be1fc
SHA512 2f24d77e2fb522e9a8b537d560987140d64460e2eb909ccb18a599076633a7796d8fc195435d9910007a452fb7dcab3f1315d20b11c940363e9891aad3134548

memory/4672-73-0x0000000000D60000-0x0000000000D8E000-memory.dmp

memory/4672-74-0x0000000005580000-0x0000000005586000-memory.dmp

memory/4672-75-0x000000000B190000-0x000000000B7A8000-memory.dmp

memory/4672-76-0x000000000AD10000-0x000000000AE1A000-memory.dmp

memory/4672-77-0x000000000AC40000-0x000000000AC52000-memory.dmp

memory/4672-78-0x000000000ACA0000-0x000000000ACDC000-memory.dmp

memory/4672-79-0x0000000004F70000-0x0000000004FBC000-memory.dmp