Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b6me6axbjd
Target 5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c
SHA256 5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c

Threat Level: Known bad

The file 5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:45

Reported

2024-11-10 01:48

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe
PID 4648 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe
PID 4648 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe
PID 1456 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe
PID 1456 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe
PID 1456 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe
PID 5096 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe
PID 5096 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe
PID 5096 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe
PID 5096 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe
PID 5096 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe
PID 1456 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe
PID 1456 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe
PID 1456 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe

"C:\Users\Admin\AppData\Local\Temp\5b9fe1209f639c0c564a3374d78eeac88e586a1bccfb7c407a4df4b300adbc3c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8018.exe

MD5 1cd2da428819fce6f2715d2102fb61e0
SHA1 1f72abdf9c110398050d74df743e9ac3440f865a
SHA256 ba1dcd28468ff4c6f5167d07696adb52870c66bc9bdab982341077001647a558
SHA512 e543b70bb77ba76731add6e3f550e1e5988f9b1390d563e85d5eecbcc9e6af45a5f409b8dca40dd51d5b97326fd86f9bc5cdb46354eba54319e51e31fad0262c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1875.exe

MD5 6c311fb4e49cc63a890c1ffe893e8957
SHA1 de069d3236efb1dd9f1a1b85b11b02db95b9d1b4
SHA256 0f3819b34ff1a597a699e2de8bd2550f8e6c8dc8e0856a07d0a52d66319fb739
SHA512 86a71ca239fb219d9f73af078470525c857dffc87e0abb70ee0524a9b131ea34a484e59a54d1eb13acedf63d22a97e6b6e9df497830b1f34f4b387d6b9d5cf04

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6597pr.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1964-21-0x00007FFD99513000-0x00007FFD99515000-memory.dmp

memory/1964-22-0x0000000000D60000-0x0000000000D6A000-memory.dmp

memory/1964-24-0x00007FFD99513000-0x00007FFD99515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c54iR94.exe

MD5 ba0a672fbb200521a4a09b67a6c327b1
SHA1 738c513500309b6ecb42a3f400260b3eed467bf1
SHA256 7d4f0569f9d0ccac57cd285c805f5c43f5c5481fc9fe018c06113e841523962e
SHA512 03f4b7006027fc528c288c6f4b8e8ea62764d160cfa6fc16b06e701bb6b7c7249b28ed8f6398cb92432270bff36a2bc1f4a99bad24e20ce821be0454bb16d78f

memory/4744-29-0x0000000002270000-0x000000000228A000-memory.dmp

memory/4744-30-0x0000000004B60000-0x0000000005104000-memory.dmp

memory/4744-31-0x0000000002550000-0x0000000002568000-memory.dmp

memory/4744-45-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-59-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-57-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-55-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-53-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-51-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-50-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-47-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-43-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-41-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-39-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-37-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-36-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-33-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-32-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4744-60-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/4744-62-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drcwt99.exe

MD5 e189ceef9569bc60e4a5cca36e335ebe
SHA1 cb653d5a8a3f12f5e52bf935d79693a45c54dfef
SHA256 c9866cf9cb7edc5ec0aed9d4d5280debb068f9debdf90181e6efd89dfeb64b39
SHA512 4830c5f097501071848c9666e07dbf13bd3daaa9e710164550767d7a48c6a93141708edccc0fcccd4c62f19648bdec3418b149788c78db3f812533fe9d66ae7d

memory/4056-67-0x0000000002460000-0x00000000024A6000-memory.dmp

memory/4056-68-0x00000000050C0000-0x0000000005104000-memory.dmp

memory/4056-74-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-82-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-102-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-100-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-98-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-96-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-94-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-92-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-88-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-86-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-84-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-80-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-78-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-76-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-90-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-72-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-70-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-69-0x00000000050C0000-0x00000000050FE000-memory.dmp

memory/4056-975-0x0000000005100000-0x0000000005718000-memory.dmp

memory/4056-976-0x0000000005790000-0x000000000589A000-memory.dmp

memory/4056-977-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/4056-978-0x00000000059F0000-0x0000000005A2C000-memory.dmp

memory/4056-979-0x0000000005A40000-0x0000000005A8C000-memory.dmp