Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bbgw7awcmj
Target 46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c
SHA256 46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c

Threat Level: Known bad

The file 46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:58

Reported

2024-11-10 01:00

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe
PID 1164 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe
PID 1164 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe
PID 4168 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe
PID 4168 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe
PID 4168 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe
PID 4168 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe
PID 4168 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe
PID 4168 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe

"C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe

MD5 3318a535070432c3c5eacc0a93dc1413
SHA1 7a2258fde704dd0b674d9c957298d5c982d4fecd
SHA256 713cc762c8174608785b9f56f83b658fee8e68cd23c3977416df619b1c1dcc7f
SHA512 cbedfb4ed664d3233a6a19ebf0c557288cb22802e6e9ea8575323dea6a72ec8fb8eb03918f370df27b5967145316f1d5680b88ff8e510a29a84b72ef393295f2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe

MD5 3be539bc06dbbcf598efefd04d30ea31
SHA1 8b9acc444407ca1e139472f2e5cf8ea1fa57dce8
SHA256 dcde231d6b1203b70e39e0f0b0546121f4fa93b505d858d14199a5dc51fd4151
SHA512 39f340f52b907c6e3a039e298824a8f0a8cdb6e642b7676a524647fb7a99e7f1c731529f5fc93376f985849867a607402a9e5cc24a188cd92ed6e776f8aefcab

memory/1420-14-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

memory/1420-15-0x00000000024C0000-0x00000000024DA000-memory.dmp

memory/1420-16-0x0000000073CE0000-0x0000000074490000-memory.dmp

memory/1420-17-0x0000000004B20000-0x00000000050C4000-memory.dmp

memory/1420-18-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

memory/1420-19-0x0000000073CE0000-0x0000000074490000-memory.dmp

memory/1420-43-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-47-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-48-0x0000000073CE0000-0x0000000074490000-memory.dmp

memory/1420-45-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-41-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-39-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-37-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-35-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-27-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-25-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-23-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-21-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-20-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-33-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-31-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-29-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1420-49-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

memory/1420-50-0x0000000073CE0000-0x0000000074490000-memory.dmp

memory/1420-52-0x0000000073CE0000-0x0000000074490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe

MD5 1bf1deb45ddb63eae2e99a57a8388229
SHA1 f1a7075ea4ce02db3def4d9a096c13a933ada2db
SHA256 a9a96e6449e12ff18c0e26f7bef1f32526b7924ffc72a462063cb069244e06e5
SHA512 130e10f688152376e271eac1eb1f0a11229398d70e04f85fb883bd3b7347fb4ea7c084a67c1deb02c49adb46f43c451123755a1f6ef78235ad38ea058dac2e50

memory/4440-56-0x0000000000B00000-0x0000000000B28000-memory.dmp

memory/4440-57-0x0000000007DC0000-0x00000000083D8000-memory.dmp

memory/4440-58-0x0000000007860000-0x0000000007872000-memory.dmp

memory/4440-59-0x0000000007990000-0x0000000007A9A000-memory.dmp

memory/4440-60-0x00000000078C0000-0x00000000078FC000-memory.dmp

memory/4440-61-0x0000000007900000-0x000000000794C000-memory.dmp