Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bs6lwawjax
Target 1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46
SHA256 1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46
Tags
healer redline dona discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46

Threat Level: Known bad

The file 1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46 was found to be: Known bad.

Malicious Activity Summary

healer redline dona discovery dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:25

Reported

2024-11-10 01:28

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3341304.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe
PID 740 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe
PID 740 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe
PID 892 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe
PID 892 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe
PID 892 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe
PID 892 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3341304.exe
PID 892 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3341304.exe
PID 892 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3341304.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe

"C:\Users\Admin\AppData\Local\Temp\1288647ac8dea85b6aecae611c77b261c1d9db75c64f9473e3140edfe7972e46.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3341304.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3341304.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0782878.exe

MD5 23f77b10894a85f9b6b71c157fe53e8b
SHA1 667025c3f90f621d50da89e4affd997238ae2e8c
SHA256 fdc7ddfe40fcd67c1cb84fd9e1e5b1577455b815e05a17ffe4fffec1180849bc
SHA512 350b5d58f280637202f2db038c5603028e6942194a4bab24f15bf7e7551b79f5f9274492dd3073baa7855ec8dc74228b91432eea0bdd5398fe1ca58f47532d8f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6061838.exe

MD5 017f32bf1e2c855ce065413ac0cf4dff
SHA1 aae9f0f7d0006625bb08cf4ad7e8277ec15e715b
SHA256 ee3ac8b53ee32c45b547d5f08a0a9508380adb3cf4526b4eebef494da717ce90
SHA512 09b7ca41a737076fe32990427e12b5631740fdedf83e6d2b77e7c3ce40a76adfd814ebe0c6e6a8b0e714f730dbd1541eb58d461b5fab9d85f03c89d33fda1f64

memory/4264-14-0x00000000741AE000-0x00000000741AF000-memory.dmp

memory/4264-15-0x00000000022D0000-0x00000000022EA000-memory.dmp

memory/4264-16-0x00000000741A0000-0x0000000074950000-memory.dmp

memory/4264-17-0x0000000004A40000-0x0000000004FE4000-memory.dmp

memory/4264-18-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/4264-19-0x00000000741A0000-0x0000000074950000-memory.dmp

memory/4264-20-0x00000000741A0000-0x0000000074950000-memory.dmp

memory/4264-44-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-42-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-40-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-38-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-36-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-34-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-32-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-30-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-28-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-26-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-24-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-22-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-21-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-46-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-48-0x0000000004990000-0x00000000049A2000-memory.dmp

memory/4264-49-0x00000000741AE000-0x00000000741AF000-memory.dmp

memory/4264-50-0x00000000741A0000-0x0000000074950000-memory.dmp

memory/4264-52-0x00000000741A0000-0x0000000074950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3341304.exe

MD5 bb8e92929e74203edade37ee61cb27ef
SHA1 a81728d0fe983d72b5f284dad105b57708fd45cd
SHA256 746957ce5a0e22ea58c598c27c951ca0ea1db07e3b28729ab55ee3d41c5a0fc6
SHA512 6d3ea0f02e1732792293f62140c479d213a3eff4052bd081fa8f9468b96c96088adab261e678946c8bba34f2f9fc0445a2bce2b7071c2a24054620e8eea9b830

memory/4240-56-0x0000000000780000-0x00000000007B0000-memory.dmp

memory/4240-57-0x00000000027F0000-0x00000000027F6000-memory.dmp

memory/4240-58-0x00000000057A0000-0x0000000005DB8000-memory.dmp

memory/4240-59-0x0000000005310000-0x000000000541A000-memory.dmp

memory/4240-60-0x0000000005240000-0x0000000005252000-memory.dmp

memory/4240-61-0x00000000052A0000-0x00000000052DC000-memory.dmp

memory/4240-62-0x0000000005420000-0x000000000546C000-memory.dmp