Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bbje1swdle
Target 68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2
SHA256 68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2
Tags
healer redline ramon discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2

Threat Level: Known bad

The file 68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2 was found to be: Known bad.

Malicious Activity Summary

healer redline ramon discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:58

Reported

2024-11-10 01:00

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe
PID 1800 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe
PID 1800 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe
PID 1916 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe
PID 1916 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe
PID 1916 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe
PID 3732 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe
PID 3732 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe
PID 3732 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe
PID 1944 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe
PID 1944 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe
PID 1944 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe
PID 1944 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe
PID 1944 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe

"C:\Users\Admin\AppData\Local\Temp\68ce20f34998e444fdb4fb69e77854ead9a99c655ba64dfa6c4a30104aa52de2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sBy09XV44.exe

MD5 38b3661c4a7c6b6b9a3ed8234670793e
SHA1 2afc9a6fa5a5450fb53388b1d564c847f87ca366
SHA256 51796f2f95ae181c677061a15d79e604825d723b3853a56caaa6b2749ccaa270
SHA512 3d18f9345085bcdabd45754aeb999c03de855cac31e468396fc0f1774d93d37faf7d3e1463e6d1a4513d715fc5befd4f271d71a673c939ccb1f7d75119dba66c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\suu88Md25.exe

MD5 5063ae1e8b609f1462d50d7285d732e1
SHA1 1ed0b0b8cd239d063a7ea986187afaa9a37b6a72
SHA256 b60e302c46f64965659388893f0bb18d5b0421134577877aa6d5d7bd7e9ffbbb
SHA512 94374a3b4165cb39ed52383e2a50692d2a543a362a75d934d2364c9aa9d99be2bcc25d52e6f65b0233389eb659feba5df58ef8cd36dda58d7772833cd81aa66f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\soV74Jx19.exe

MD5 43e994202ff14d95be81aed6363e7a7f
SHA1 97d47c82d9e02a1e5e7adfe5bf94fd393b0c9714
SHA256 dfcbea1958d9d4b8b61bc200224889d45dd833c817e6c29df9d8ce1a17317915
SHA512 ff67b3e04301a5e912630ba5e658e5c318cada13ecd285ad54399357601ac6e111031646f692108a45574e301ec700a491b1a1fe6f425f1b0aa6f992a50d5a7c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iqk86Ad05.exe

MD5 eead17d3376defc1b833e4f41378de64
SHA1 16cbe2843eb639e2ef9a6eb241abd1e319fc6665
SHA256 67efc7a9be0966299d6baf23eec28665784efeccce75a4e49b0901ae5b6b7c27
SHA512 60f7a06523779896c379bd4d1473c5e0199a1b075058737dc3c1ce72c07ff9f8000b29a91b0ff20e3df95db272224ce7f3052e192ce2a9d12cb7d4848bc26b5f

memory/4424-28-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCq08mV74.exe

MD5 39e68ec5c671803bea570c9c8149ecf5
SHA1 93cb8d7be2e1aa555e5541d1d946271d32cf20ba
SHA256 7359387553ff87aa91886a0e850132f5024f913e22cc8eb764d401fcdb0d58f5
SHA512 5ce2317044a61712de25b803c7bb51a6a6aba6c9606cbaa2b5b340960a59baf98b5041ddc417924fec3f03a9543a8442eeb465a28c1986458e80e292568d9ada

memory/1604-34-0x0000000002680000-0x00000000026C6000-memory.dmp

memory/1604-35-0x0000000004DA0000-0x0000000005344000-memory.dmp

memory/1604-36-0x0000000004CA0000-0x0000000004CE4000-memory.dmp

memory/1604-50-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-48-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-46-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-98-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-100-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-96-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-94-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-92-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-88-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-86-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-84-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-82-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-78-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-76-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-72-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-68-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-66-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-64-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-62-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-58-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-56-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-90-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-80-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-70-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-60-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-54-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-52-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-44-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-42-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-40-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-38-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-37-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/1604-943-0x0000000005350000-0x0000000005968000-memory.dmp

memory/1604-944-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/1604-945-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

memory/1604-946-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/1604-947-0x0000000005C50000-0x0000000005C9C000-memory.dmp