Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b6e13szlbj
Target 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b
SHA256 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b
Tags
healer redline ramon discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b

Threat Level: Known bad

The file 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b was found to be: Known bad.

Malicious Activity Summary

healer redline ramon discovery dropper evasion infostealer persistence trojan

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Redline family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:45

Reported

2024-11-10 01:47

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
PID 404 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
PID 404 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
PID 3256 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
PID 3256 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
PID 3256 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
PID 4600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
PID 4600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
PID 4600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
PID 1708 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe
PID 1708 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe
PID 1708 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe
PID 1708 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe
PID 1708 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe

"C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe

MD5 0cc645bfebbee83ae73f2ac67a44e234
SHA1 4458ddc13d90bc8399e5cc547e14a2845a9dcaf5
SHA256 7420260bf221aa05d429e7f4bd9ce6b0b4070baa410944869dbb17d3b6f8e10f
SHA512 d8b32d5550f147b703dc86600de7c2bc6cec826d37a7dce71770dcc03b38622988710eb613fc08fd246d2d81517c239d9c1d78b09a091f8782d187fa9251e557

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe

MD5 3eb3cccf02026e0dd174dac928d3a81d
SHA1 7a7048c147a524452ea36c86286b77e3564cfd32
SHA256 454ede7721a8519b453335674e0f18bbcd9b7c2202cc0391d8880aca37af3752
SHA512 9a016e66b13bfe5d13d177b26b49dfa1ca6322551b9aa78c5d7da442b3c55911dace26237226ab4e9704062471066491306dfeb8d0ed20d4b01bf36e2c554a6c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe

MD5 8312e11efc3b3e96080fd917e04a70a7
SHA1 0e7d59876755c8891cbf706748d0abde231b97fa
SHA256 1c9b912ec71b43c46f45cd154e27b8cb3edd93f44a49a1b9f02d594bad6d2da2
SHA512 ae62ced526d11d0c6f2c93962834a7ddd92a9b8b2b045bee17213515a7edc614880940943b66854ae0ed989ba3ab03ea33543bdea00bdc4d62c57203797ad4e8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe

MD5 4759c87cb8aae3b368ce489ed3888406
SHA1 428b9a715af61d129a9a86145884f344a557f1aa
SHA256 48ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62
SHA512 e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04

memory/3896-28-0x0000000000F00000-0x0000000000F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe

MD5 43808d4cb75be409d7906b2dd00a55cb
SHA1 7c05ec44a25709bbf577a9a2b64305148267a461
SHA256 6376d0c48599313b92671dd50ea2d30842c10ac8e3a7943d4f4e6d017fb5a4c7
SHA512 44f4232365eb392b55cd0bbdcdd1f4dc4c9f5f2a9b2f698258b26a5f25dfdbaf422498c0f21a8dc7a2fb2a81611e8c9b192c2c2db2486f8240f28809ae3f9609

memory/4132-34-0x00000000024C0000-0x0000000002506000-memory.dmp

memory/4132-35-0x0000000004D50000-0x00000000052F4000-memory.dmp

memory/4132-36-0x0000000004CB0000-0x0000000004CF4000-memory.dmp

memory/4132-38-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-61-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-100-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-96-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-88-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-68-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-62-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-56-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-54-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-52-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-50-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-48-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-47-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-42-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-40-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-92-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-66-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-37-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4132-944-0x00000000059B0000-0x0000000005ABA000-memory.dmp

memory/4132-943-0x0000000005310000-0x0000000005928000-memory.dmp

memory/4132-945-0x0000000005AF0000-0x0000000005B02000-memory.dmp

memory/4132-946-0x0000000005B10000-0x0000000005B4C000-memory.dmp

memory/4132-947-0x0000000005C60000-0x0000000005CAC000-memory.dmp