Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bafbzaynbk
Target 2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432
SHA256 2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432

Threat Level: Known bad

The file 2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:56

Reported

2024-11-10 00:58

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitN1660.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitN1660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715689.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715689.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432.exe

"C:\Users\Admin\AppData\Local\Temp\2d4a6b1d932205e327e53217603ba1cb57cc2ac37f3cca7450483a49ecf4a432.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitN1660.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitN1660.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715689.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715689.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitN1660.exe

MD5 fe247b8aaf9b6c778c4f176d52998cd2
SHA1 932f6c4888cb9ba27b381b7af479c00f32c373fb
SHA256 5424b92ba737a2a5a76bb610365589b4a73d7a7f0814bea0e26c6e2025f3620f
SHA512 cc9d0525a7d42dd25187b33e9a098b7113805f56e23c87ed561f131ff2efe06a8394e6afc763c7b87b7ceb2bbf55843706b9f723aa0cfda35320be4386d758f6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194666.exe

MD5 ebbcd364021ac619c4260c9afad383fe
SHA1 478a902cc382cbca714a378b49fac94b9c0647de
SHA256 9dbcb54c49019f36c342cb9843465ebd30cdc39e8e82b7f873942cd6e7fa8649
SHA512 95a991612f378085fbbe2dd5bd8e0551a883b46989cfda4c10008538eeb2c2c8d799eaa37b4a2cb1231c86052fb533867132cb47e4b326cc45413ff38fdb9dc6

memory/3620-14-0x00007FF856853000-0x00007FF856855000-memory.dmp

memory/3620-15-0x0000000000100000-0x000000000010A000-memory.dmp

memory/3620-16-0x00007FF856853000-0x00007FF856855000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715689.exe

MD5 f7cfe66af70fdee463265e0b059335ac
SHA1 2f06705e938b7023fad283dd4e4bdbccd1bb4d7f
SHA256 edf58a129e2366781c6257e3abedb792b828bc55a4c451b97cf6f896acc3021f
SHA512 a5ca6cc790181a7995caf7a88d1a38b78280c15cbd38858cab2523c94ac4129ce1ac572873ac5c7ebd7875ff592e1bc2b20bcd0bad0d9b4c9ba223d88227756d

memory/3804-22-0x00000000026A0000-0x00000000026E6000-memory.dmp

memory/3804-23-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/3804-24-0x0000000005080000-0x00000000050C4000-memory.dmp

memory/3804-34-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-38-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-88-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-86-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-84-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-82-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-80-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-78-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-74-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-72-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-70-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-68-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-66-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-64-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-62-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-60-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-58-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-54-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-52-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-50-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-48-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-46-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-44-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-42-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-40-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-36-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-32-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-30-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-76-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-56-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-28-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-26-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-25-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/3804-931-0x0000000005220000-0x0000000005838000-memory.dmp

memory/3804-932-0x00000000058C0000-0x00000000059CA000-memory.dmp

memory/3804-933-0x0000000005A00000-0x0000000005A12000-memory.dmp

memory/3804-934-0x0000000005A20000-0x0000000005A5C000-memory.dmp

memory/3804-935-0x0000000005B70000-0x0000000005BBC000-memory.dmp