Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b6bzesxarf
Target e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091
SHA256 e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091

Threat Level: Known bad

The file e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091 was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

Healer

Redline family

RedLine

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:44

Reported

2024-11-10 01:47

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe
PID 3100 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe
PID 3100 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe
PID 4784 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe
PID 4784 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe
PID 4784 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe
PID 4784 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe
PID 4784 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe
PID 4784 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe

"C:\Users\Admin\AppData\Local\Temp\e33a0931c7ecdfa2e4181687e2f22256d8bd026caa4346948937d5c363960091.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1196 -ip 1196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001493.exe

MD5 4ec9f824623660956a131879c93f4b80
SHA1 d7093fe29f002e20ef1aa8157724f2bca301225f
SHA256 6a18da4ba7494e2fe26fe7b76b5959382b518c024c7d96ca066818a581555374
SHA512 b95f043ac9578b1de4450876ac4bbf3645f0165f29a04a767933eec75e9a3f73cb0fe9cb8b86130238fa1e69d17c7f9e5114e57dc9fdfb8dbc0d7219859d9e35

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2057.exe

MD5 c393ec35c5337ea8afcfaff51ed63446
SHA1 8ff6ae9f85572ffb38d179578e345add3390dfca
SHA256 53a694f0d8b47c8877253d704da06c56f43d24c160af6273a41142eb295e69cb
SHA512 7451bab87db8da651461d37eb471ee824a5d48f2dfee12bc18b10c78b6f4ba1978b6f71b209311598bba2889533cea4ae595b61cbd3f7f303e3a964821304def

memory/1196-16-0x0000000002B80000-0x0000000002BAD000-memory.dmp

memory/1196-15-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/1196-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1196-18-0x00000000048C0000-0x00000000048DA000-memory.dmp

memory/1196-19-0x0000000007490000-0x0000000007A34000-memory.dmp

memory/1196-20-0x0000000004AA0000-0x0000000004AB8000-memory.dmp

memory/1196-44-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-48-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-46-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-42-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-40-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-38-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-36-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-34-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-32-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-30-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-28-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-26-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-24-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-22-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-21-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/1196-49-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/1196-50-0x0000000002B80000-0x0000000002BAD000-memory.dmp

memory/1196-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1196-51-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/1196-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6732.exe

MD5 7a82918f0927f2d2fac7422d07d97774
SHA1 fdd12aac8cddd13060d96c4386ff2a31d63465c9
SHA256 399864e008dd22d4e8bd822af3772d4ae33bda196528f78e3a1ccde84a8eabd7
SHA512 1ad2d703c94ade7f60987be170c0b9056bd9b445fd66531109f6577f32e40d6ee3933663797262fbe8b50fe0254e596b29d7bb5efd5bb58248b9917f6b3feecc

memory/1196-54-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/3656-60-0x0000000004A40000-0x0000000004A86000-memory.dmp

memory/3656-61-0x0000000007170000-0x00000000071B4000-memory.dmp

memory/3656-71-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-95-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-93-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-91-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-89-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-87-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-85-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-83-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-81-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-79-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-77-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-75-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-73-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-69-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-67-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-65-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-63-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-62-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3656-968-0x00000000078C0000-0x0000000007ED8000-memory.dmp

memory/3656-969-0x0000000007EE0000-0x0000000007FEA000-memory.dmp

memory/3656-970-0x00000000072B0000-0x00000000072C2000-memory.dmp

memory/3656-971-0x0000000007FF0000-0x000000000802C000-memory.dmp

memory/3656-972-0x0000000008130000-0x000000000817C000-memory.dmp