Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b5m1aswhjj
Target d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886
SHA256 d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886

Threat Level: Known bad

The file d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer

Healer family

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:43

Reported

2024-11-10 01:46

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe
PID 1844 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe
PID 1844 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe
PID 4864 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe
PID 4864 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe
PID 4864 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe
PID 1624 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe
PID 1624 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe
PID 1624 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe
PID 4972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe
PID 4972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe
PID 4972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe
PID 1868 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe
PID 1868 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe
PID 1868 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe
PID 1868 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe
PID 1868 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe

"C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe

MD5 c0053e31c324db2105ab52c26a206594
SHA1 85d130ea355e8b7ef065853364406e10b2f5e043
SHA256 80dfaf2707a30f38656cf44b5750258c4afe9b77bbc6978c32939fed950327e9
SHA512 a7e0751e9dc0c42a4da1749320327bcbe1db1308145b729f9c4b7bdb76b61d55e0f7d3adc1683b1a46cd9caadebd33187f68c358c5f58bc0dc5102f9101c8691

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe

MD5 ead81aab5c72c0008a63cd730fd8ba68
SHA1 8f808674ff5718bfb625019d30c9c35293b6c8c3
SHA256 a6d3b1868954e1f77fd7724f33742f6391c7b2288410bb9d66de3be50393a07a
SHA512 bd6df85059194f31e5d51ff2d3ad35d23f8cdf8f1b117d0c8cff4096c23289094d30a86bcc7f0e4e55cbcf02d37dd5e81e08f64fba3b597e9d9725a7467a60a8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe

MD5 90fa26abbea9e64a4a6166fabd599f67
SHA1 17385c349ff4f15e1b3cd9851e2e7b6ccf864a3e
SHA256 5cecae691a9581f2145d6e9316a16e31d35a80a0908c4677561366081f2f0928
SHA512 f35e21946f8c32458a7fe6bf74940887f547a30c06d6213a8589e48a33b532a96b97b7beeb4d0de7b18ce1d5a5c42682b6e95de518eacc96d3c5e64110b42d28

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe

MD5 89085cf8b80e7f334fff4f34050ab249
SHA1 f19db77e77f2e3fb247ff6a15a6e04f71f95aa63
SHA256 ca202b199ce4628b4ea25c9390b44722eeba99f4b194afa29dd4b6202319f17d
SHA512 69406017ffc40eda7891d97980bd164ed6c8709b3e23cb534f13d4074b556b32e7fa9ee21022ad8f9122ee80fe0f19bf0d4a1960b16cb5a3b964df4c731f2aa4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe

MD5 1d11fb3a60485a4fc8e87ab6b11edf01
SHA1 82fe9d8c490142692afc8273df8e15828ed9253f
SHA256 1556efc221b6b09ac945bf9f586ed4e256cd77b710689a5d7a7f3161ea19d2b5
SHA512 80a17be977a596440da6809f1fdf05af08e03fb32dfc297577dda4ce69febc405edb488c860e7070e2207bb881f218a87db2b6254dcc87192c81ea11b168bac4

memory/3128-35-0x0000000000670000-0x000000000067A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe

MD5 0699a3dd8a0bfbef309a3c474b22b56d
SHA1 8f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA256 0fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA512 6dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd

memory/2028-41-0x0000000004D40000-0x0000000004D86000-memory.dmp

memory/2028-42-0x0000000007280000-0x0000000007824000-memory.dmp

memory/2028-43-0x0000000004DC0000-0x0000000004E04000-memory.dmp

memory/2028-55-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-57-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-107-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-105-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-103-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-101-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-99-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-97-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-950-0x0000000007830000-0x0000000007E48000-memory.dmp

memory/2028-953-0x0000000008100000-0x000000000813C000-memory.dmp

memory/2028-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/2028-951-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/2028-93-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-91-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-954-0x0000000008150000-0x000000000819C000-memory.dmp

memory/2028-90-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-87-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-85-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-83-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-81-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-79-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-78-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-75-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-73-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-71-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-69-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-67-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-65-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-63-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-61-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-59-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-53-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-51-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-50-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-95-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-47-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-45-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

memory/2028-44-0x0000000004DC0000-0x0000000004DFE000-memory.dmp