Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bbpa9syncm
Target 3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6
SHA256 3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6

Threat Level: Known bad

The file 3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Redline family

Healer family

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:58

Reported

2024-11-10 01:00

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe
PID 864 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe
PID 864 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe
PID 1060 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe
PID 1060 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe
PID 1060 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe
PID 1060 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe
PID 1060 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe
PID 1060 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe

"C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe

MD5 3c6870a8ae11e65b2dc8ef71f2e2c0ac
SHA1 02cee9077b44ebc8cdbb49cf67fab762459f5578
SHA256 598603509aa88eaccebcb4ecb906dbdcdac272e77d9b82e40a0f32dade03b61c
SHA512 253a4b8cdb94978e54f149eefc6b359e0f73d7b46b38c3b9369db6fb41f028dd7198afeaac5719e42b3e1bb82175b6ed65a290755bf205e7d80c5b74070b1f3f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe

MD5 e7b73dee8f8f440b73bc16b4a429aaf6
SHA1 b23b7c70d0bd5c09fe2ea338424537b6ef0ab4ea
SHA256 ecd21b5ede638a357976872f557dedcbaea3e22202caa285d77fae855c26be5b
SHA512 d26f6cc8c6cab368a9775571e220026d91ee5c66b4230ecbf1a881110c0017f1c4a3516d08462e16642f9384fe57adfb3d970f96c7074376a704813cfef5e19d

memory/5008-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5008-15-0x0000000002E50000-0x0000000002F50000-memory.dmp

memory/5008-17-0x0000000004AE0000-0x0000000004AFA000-memory.dmp

memory/5008-18-0x0000000007130000-0x00000000076D4000-memory.dmp

memory/5008-19-0x0000000004CB0000-0x0000000004CC8000-memory.dmp

memory/5008-20-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/5008-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-36-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-34-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-32-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-30-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-29-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-26-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-24-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-22-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-21-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5008-49-0x0000000002E50000-0x0000000002F50000-memory.dmp

memory/5008-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5008-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/5008-53-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/5008-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe

MD5 e46362b503aabdd187624f53b0e561af
SHA1 315d07435b43e35bdbc0a5a4cd8ce38c14ecaab0
SHA256 3b4c3645575673a7a49baabfd818e833a1bbe58a5fdc3424f869f6b263a2dc6e
SHA512 d4758a01a5a18915cf4dd855f9acd5cb06b214658a87ab90dc7b002eef72c29a80a678fc469e1f145c62e9b0f353c3a543416fafd6d4288488b68d4398b99ead

memory/1560-60-0x0000000004C70000-0x0000000004CB4000-memory.dmp

memory/1560-59-0x0000000004860000-0x00000000048A6000-memory.dmp

memory/1560-61-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-92-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-70-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-62-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-94-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-90-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-88-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-86-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-84-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-82-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-80-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-78-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-76-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-74-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-72-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-68-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-66-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-64-0x0000000004C70000-0x0000000004CAF000-memory.dmp

memory/1560-967-0x0000000007900000-0x0000000007F18000-memory.dmp

memory/1560-968-0x0000000007F20000-0x000000000802A000-memory.dmp

memory/1560-969-0x00000000072A0000-0x00000000072B2000-memory.dmp

memory/1560-970-0x00000000072C0000-0x00000000072FC000-memory.dmp

memory/1560-971-0x0000000008130000-0x000000000817C000-memory.dmp