Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-ba26qswdkf
Target 982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406
SHA256 982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406

Threat Level: Known bad

The file 982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406 was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Redline family

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:57

Reported

2024-11-10 00:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe
PID 2664 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe
PID 2664 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe
PID 624 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe
PID 624 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe
PID 624 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe
PID 624 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe
PID 624 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe
PID 624 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe

Processes

C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe

"C:\Users\Admin\AppData\Local\Temp\982a827906ad4f3a345fba0b33553fc6c1d5c470254dc1142a6865baad3c6406.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2656 -ip 2656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un761016.exe

MD5 c581137fbceac45b971606707c5506da
SHA1 6819a52e32fafa299629df1e1dfc110a2ee23943
SHA256 1b1256ce48e00d9e622f354775dde3d17ce175fef120700ba61790745a287442
SHA512 64cd5f4b475d3cd4cff0c9b72168031667eafa94d869cb5e41b352b8ce1592d3f3eeed80b970b3627d9812dfafaa32205cd0533800698cc8f596ad9504c43f3c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5196.exe

MD5 50e0fe23187d93313f8f6bc6f09cc5d9
SHA1 73714ce3427c06a9ea26b9c48ca57d6652ff2a86
SHA256 734d8f0e10040bde9adeb8882806069a9d595fa45356d8270560e162fe4cd11a
SHA512 c6b3c6d11cb60bdf9cbc5ad2cbff43fdf837596bc1cbbdf060d82eba42e56f3f026677e64820bba1e4ac6f7cea82ef292393d9e2ee0c5fabdb0e508ba5fcf524

memory/2656-15-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/2656-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2656-17-0x0000000004930000-0x000000000494A000-memory.dmp

memory/2656-19-0x0000000007350000-0x00000000078F4000-memory.dmp

memory/2656-18-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2656-20-0x0000000004CD0000-0x0000000004CE8000-memory.dmp

memory/2656-34-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-48-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-46-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-44-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-42-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-40-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-38-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-36-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-28-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-26-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-24-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-22-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-21-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-32-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-30-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2656-49-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/2656-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2656-52-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2656-53-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2656-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8968.exe

MD5 369818b96c367277f7b00aa7212a8357
SHA1 024797fe6af8cc632989f416470a00a4a79d5cdd
SHA256 6dffb354ec47481359144be537b628814eb54bf1b44546fac17858296aab541e
SHA512 4941e2d1b890d9dfccce3a4a79849389f84cd9b7c72e4042651e897a5bf9357a12867a59f8ae97b5d9eb335945323f852bbd6a35fc4328fdfd99f54578adcf1c

memory/4992-60-0x0000000006F50000-0x0000000006F96000-memory.dmp

memory/4992-61-0x0000000007740000-0x0000000007784000-memory.dmp

memory/4992-65-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-73-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-95-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-94-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-91-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-89-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-87-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/4992-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp

memory/4992-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/4992-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4992-972-0x0000000008110000-0x000000000815C000-memory.dmp

memory/4992-85-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-83-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-81-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-79-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-77-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-75-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-71-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-69-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-67-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-63-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4992-62-0x0000000007740000-0x000000000777F000-memory.dmp