Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bsgyhsyrbr
Target 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c
SHA256 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c

Threat Level: Known bad

The file 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:26

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe
PID 1648 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe
PID 1648 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe
PID 4452 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe
PID 4452 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe
PID 4452 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe
PID 4452 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe
PID 4452 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe
PID 4452 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe

Processes

C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe

"C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe

MD5 a816665649e8b31563038aab9464c6da
SHA1 a113ecef58936c2088e5b106cba26d267592bf23
SHA256 0b98a3d0a64632829d59796035197460f674dc1ded9cf8c536b597ea90556dbb
SHA512 011f42de856849dfb0b856743d557f63005ce8daa27717b55e1a2488b8e9193a5ecd6b7fdbe2e201d7871c3417fca120946ff7805bdf865e4650293ffbde52fe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe

MD5 8ec563df95566e56d6784a8e9bdb04d8
SHA1 547d38be6d52cd23baa1e86231f9ded7186dc1af
SHA256 6a2585cdd649bb863a04f967a955974677abd545e7dfc8a1bfedfa8759fb490a
SHA512 b8b9b4b9be6df8f462d1641295a9d6d679128713f9388233570aea31ae6a18402aa2ed8043c68e0b112ded39162f24469a1a903271c7f34cc81d71ae8ea7e9c9

memory/4664-15-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

memory/4664-16-0x0000000002CE0000-0x0000000002D0D000-memory.dmp

memory/4664-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4664-18-0x0000000004880000-0x000000000489A000-memory.dmp

memory/4664-19-0x0000000007210000-0x00000000077B4000-memory.dmp

memory/4664-20-0x0000000004C30000-0x0000000004C48000-memory.dmp

memory/4664-46-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-48-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-44-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-42-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-41-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-38-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-37-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-34-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-26-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-32-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-30-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-28-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-24-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-22-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-21-0x0000000004C30000-0x0000000004C43000-memory.dmp

memory/4664-49-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

memory/4664-50-0x0000000002CE0000-0x0000000002D0D000-memory.dmp

memory/4664-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4664-51-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/4664-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe

MD5 a2bc961c8491d30c1e308fd1fc4cc7d7
SHA1 e6e365d715882b08ae649031b861b9519b25b4ca
SHA256 16116788d2c4eb69910c5f3ec7cbe2fdbb933ddbbef7699f408d56c7db5688af
SHA512 5093abe741ec3f4eac8534014770526c403f812450d446a6a9cd86343ab138362c63dfc49be0bbe7cc553726a5a69de20d12ae54179168e0876061675b53b860

memory/4664-54-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/3436-60-0x0000000004A40000-0x0000000004A7C000-memory.dmp

memory/3436-61-0x0000000007760000-0x000000000779A000-memory.dmp

memory/3436-73-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-77-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-95-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-93-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-91-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-87-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-85-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-83-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-81-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-79-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-75-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-71-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-69-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-89-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-67-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-65-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-63-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-62-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3436-854-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/3436-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/3436-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/3436-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/3436-858-0x00000000049B0000-0x00000000049FC000-memory.dmp