Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b6kxbsxbjc
Target 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e
SHA256 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e

Threat Level: Known bad

The file 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:45

Reported

2024-11-10 01:47

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe
PID 2864 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe
PID 2864 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe
PID 4544 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe
PID 4544 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe
PID 4544 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe
PID 1332 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe
PID 1332 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe
PID 1332 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe
PID 1332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe
PID 1332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe
PID 1332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe

"C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1064

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe

MD5 164846ad2082c35af8d719dd1b49a0e6
SHA1 2e07a33bb23505f317e720ec2877e241ad2748b7
SHA256 5aa2f76898818c41e2db06456ecdd98322ece486a09c561fd1b8359b8823bba6
SHA512 3c3782ac79becd17226dfcfcc4fa509f3e9e4c78185f9a6b2635df4cd3787fcd52a9c2b2614f19be55430775a062df8709e95849a8f4ba52a7b8129535fb35b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe

MD5 6d5a9bd0db0c9d2720a71009f3416bbc
SHA1 394ad5bb5ad2422c08e5c39c60bf50ef5b9a2232
SHA256 b37c1d3dff5b305a0a43273f45b1e2ff37512c8297cbbc84b338276c38ec23e2
SHA512 4e1ee70b56e03385075aaa15b4190e3457c09bd1dca6c3dc3bcd95a6561d093b9bf18dc158a60944f8e7708ff7a8d7a35e6aee868d9545c8341429aa466fde62

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe

MD5 846591f285e04961098c5c11d20000fd
SHA1 1c8ca3a10e0be63a99620837dc7bf6b348354acf
SHA256 14a279e5b91a0c811af64e46e81a3567a47ad71ef2f925bc9f70abd70941d2bd
SHA512 c60cfd228e06159128430b39ba573f044acf9cb874ff4b48bef2471db617034249e0a4fa3b26af74e3f55987c61c5e02b37b39074bb311f6380d76bbd14c33cf

memory/1216-22-0x0000000004850000-0x000000000486A000-memory.dmp

memory/1216-23-0x00000000072D0000-0x0000000007874000-memory.dmp

memory/1216-24-0x0000000007150000-0x0000000007168000-memory.dmp

memory/1216-40-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-28-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-52-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-50-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-48-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-46-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-44-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-42-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-39-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-36-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-34-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-32-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-30-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-26-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-25-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1216-53-0x0000000000400000-0x0000000002BB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe

MD5 91bbf73b496bf7085e86264edcbbdeb5
SHA1 934b2ca9f84d68572adff3c11f42c624d78acdf2
SHA256 c2542b1ed0adf34994a9aefa49cb848f916c462b911f3331383141e3bf61cd65
SHA512 8f6549f1eb575512677d96ac5f2656d5bbbcfb6f5d7073ffe86ba06b66a9dd25c77e351146f7936b5454e043400dd7c0ebf38df6986ab0f1e8f61dae74eef163

memory/1216-55-0x0000000000400000-0x0000000002BB5000-memory.dmp

memory/1208-60-0x0000000007000000-0x000000000703C000-memory.dmp

memory/1208-61-0x0000000007790000-0x00000000077CA000-memory.dmp

memory/1208-67-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-75-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-73-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-71-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-69-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-81-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-65-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-63-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-62-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-95-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-93-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-91-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-89-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-87-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-85-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-83-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-79-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-77-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/1208-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/1208-855-0x000000000A340000-0x000000000A352000-memory.dmp

memory/1208-856-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/1208-857-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/1208-858-0x0000000006AF0000-0x0000000006B3C000-memory.dmp