Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bstx3swjas
Target 4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572
SHA256 4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572

Threat Level: Known bad

The file 4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572 was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:27

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe
PID 3664 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe
PID 3664 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe
PID 4348 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe
PID 4348 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe
PID 4348 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe
PID 4676 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe
PID 4676 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe
PID 4676 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe
PID 4676 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe
PID 4676 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe
PID 4348 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe
PID 4348 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe
PID 4348 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe

"C:\Users\Admin\AppData\Local\Temp\4b0c8936ce99e0d4b8a39d0052d285b9b775f956b445e67622f1083302615572.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2884 -ip 2884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5018.exe

MD5 a21c0899de10f83f6f0af9724d5df341
SHA1 c66bc530d8142006aa88d400c66908e7ad2cf007
SHA256 f7cbadf68b793cd3944931405d427650e428af3191f2d8b03dc86abcd8269567
SHA512 2308dcd66a0bfa9484e5521cb653995d5f24fdb4667c82acecc6b5920a66a087e8e85af594561aa68a5e3d75b2dd7ebd264ca8c83111f203fb846a0822dbba44

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9914.exe

MD5 8f297ca2a424e43dbfa1bf7c4ae5f531
SHA1 b9e609b6b714510d998c0d2f9769a3b09f7b2a8c
SHA256 4df26f7207ad26f2d7a131141fe63b7a45c7b459cb72d58227c6a045562c146d
SHA512 a1fbd8828a48bfe64a81cc74001135fcdce46e5f2d4d44d999757fabb68d5af835a275ea49df6b107beeebe8ce12613a61e542945983bd9dc8bb3e5953fd751c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0581UU.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3272-21-0x00007FFF14893000-0x00007FFF14895000-memory.dmp

memory/3272-22-0x0000000000210000-0x000000000021A000-memory.dmp

memory/3272-23-0x00007FFF14893000-0x00007FFF14895000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43Lk65.exe

MD5 708654838b475bc5924bf59f9f704cd9
SHA1 6da4adea6403175661f1d73a596868784897ad60
SHA256 d209bc7f3fb06f1c822cf11d0406cf5f6809b505ab834c077d1c5ee77cc9677f
SHA512 847e26cfd14ecd17ecc63ef9ca26854eb6219462d52a72be28062d3ddcf23a741ef2a3289e9c5324d64055a5a960eca3140423c11f113cc8617b7af0fe785ec0

memory/2884-29-0x0000000002570000-0x000000000258A000-memory.dmp

memory/2884-30-0x0000000004C00000-0x00000000051A4000-memory.dmp

memory/2884-31-0x0000000002750000-0x0000000002768000-memory.dmp

memory/2884-59-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-57-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-55-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-53-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-51-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-49-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-47-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-45-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-44-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-41-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-39-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-37-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-35-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-33-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-32-0x0000000002750000-0x0000000002762000-memory.dmp

memory/2884-60-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2884-62-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMWoU16.exe

MD5 1d2f635eaf62232e517a2f81d0c4523b
SHA1 9bcb2c1515893ba3f74bbc2f759eb845d2db069b
SHA256 811448f734bd29d3c43ef36720c82e1a3dee93a545603fb4b2061db3486662f5
SHA512 d452d54c93509f743b0436eeddd26bdabe5d7dcda72c1ca556ec0e1436f3b0f1fcf2b9fd83e332f0c7d5bc7694be8417ccbf61018329ab68cfc4d35d52b9eef2

memory/2492-67-0x00000000025B0000-0x00000000025F6000-memory.dmp

memory/2492-68-0x0000000004AD0000-0x0000000004B14000-memory.dmp

memory/2492-74-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-88-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-102-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-100-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-98-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-96-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-94-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-92-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-86-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-84-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-83-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-80-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-79-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-76-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-90-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-72-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-70-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-69-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/2492-975-0x00000000051D0000-0x00000000057E8000-memory.dmp

memory/2492-976-0x00000000057F0000-0x00000000058FA000-memory.dmp

memory/2492-977-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2492-978-0x0000000005900000-0x000000000593C000-memory.dmp

memory/2492-979-0x0000000005A90000-0x0000000005ADC000-memory.dmp