Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b6h3qszlbm
Target 60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39
SHA256 60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39

Threat Level: Known bad

The file 60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:45

Reported

2024-11-10 01:47

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5064 set thread context of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
PID 4244 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
PID 4244 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
PID 1820 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
PID 1820 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
PID 1820 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
PID 1820 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 1820 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 1820 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
PID 4244 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
PID 4244 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
PID 4244 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe

Processes

C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe

"C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1112 -ip 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe

MD5 923dd840d11ad83a7b8a0aa0ec580bd9
SHA1 998c072ba8715c67129b0d4c2e47402b316778ab
SHA256 2ee4de028dbab8107c78417ed2820c7938a19b036a4ac19ffe323b4bf121f8f2
SHA512 487e6e25cc437077e42f3c138f216d5956e8d26152d03bda268f6afe606be64585dd39f45dbbd117ad3a6aeb027466a77b1203b9d2291a5c8c3e1e99c6f62a15

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe

MD5 e316c2de777d55b98eb76fa4b278de7f
SHA1 11cac13b2850abeef8d1d359f24fb7865173f6dd
SHA256 bc3e53579b9cde6683fa8d45c6e62e53c6c337e9f0f44ff7808ab58474060c17
SHA512 ef9c8ea766877b8ae7413d17d565a6a43af6f641fe8e344a0036cd8eb0ac060a3a98c7ce7aa21ffdd7242b4b44d187ab64e966d7af4e50db58bc64d21d6e4104

memory/1112-15-0x0000000000480000-0x0000000000580000-memory.dmp

memory/1112-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1112-17-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1112-18-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1112-19-0x0000000002330000-0x000000000234A000-memory.dmp

memory/1112-20-0x00000000049A0000-0x0000000004F44000-memory.dmp

memory/1112-21-0x0000000004FB0000-0x0000000004FC8000-memory.dmp

memory/1112-22-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-49-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-47-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-46-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-44-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-41-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-40-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-37-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-35-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-33-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-31-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-29-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-27-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-25-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-23-0x0000000004FB0000-0x0000000004FC3000-memory.dmp

memory/1112-50-0x0000000000480000-0x0000000000580000-memory.dmp

memory/1112-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1112-54-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1112-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

MD5 bf70b37bcbd0f719e03a982c6c588d77
SHA1 32a932047845ebe2a8a2b22d48dc2af192a18d91
SHA256 17ed923cb1e879ec89be82253dbfda9a6d14d4f1272706bd340f589df2874279
SHA512 27e03eabf35e3c507fb943b4953e1919c386ef986683d81e650a0dda5185907eb032e1acb3fa493f8e768b36439ddf61e2cfea76979d001c4986a609f588e0bd

memory/1496-60-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1496-64-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1496-62-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1496-68-0x00000000021F0000-0x000000000222C000-memory.dmp

memory/1496-70-0x0000000004A50000-0x0000000004A8A000-memory.dmp

memory/2160-69-0x0000000000E70000-0x0000000000E98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe

MD5 e1c805d3cefe221689da30b8a2d944f2
SHA1 a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA256 32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA512 7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

memory/1496-72-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-100-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-98-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-96-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-95-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-92-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-90-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-89-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-86-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-84-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-82-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-80-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-78-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-76-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-74-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/1496-71-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2160-282-0x0000000008160000-0x0000000008778000-memory.dmp

memory/2160-465-0x0000000007D00000-0x0000000007E0A000-memory.dmp

memory/2160-713-0x0000000007C30000-0x0000000007C6C000-memory.dmp

memory/2160-464-0x0000000007BD0000-0x0000000007BE2000-memory.dmp

memory/2160-867-0x0000000005070000-0x00000000050BC000-memory.dmp