Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bw1vsswfql
Target 820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40N
SHA256 820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40
Tags
healer redline ruzhpe discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40

Threat Level: Known bad

The file 820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40N was found to be: Known bad.

Malicious Activity Summary

healer redline ruzhpe discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Healer

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:30

Reported

2024-11-10 01:32

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tkvR22RP53NB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tkvR22RP53NB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40N.exe

"C:\Users\Admin\AppData\Local\Temp\820beae4bcea4b8d5418aef9757116739198deb3dc663df642f2fa74a1c31a40N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tkvR22RP53NB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tkvR22RP53NB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw20Lc96BB94.exe

MD5 7f77d02cabfe9a431532b203c076b59d
SHA1 9994a5d35c9c3d3e2a5533a69861e743d3d14cdd
SHA256 6e4d20c89a1c517b7d2d72543b3e66c1794dd2c346ef625f944161e5e6692c34
SHA512 a997cf27662e79945a3f0b0aaa9c2c233f9abd8093dea6c09dcda5d6af678a870c2c443cdfcfd6df4601eff5bca9eefdefadf55d0ef18578c4b74848cbbca8ad

memory/4552-7-0x00007FFF8A443000-0x00007FFF8A445000-memory.dmp

memory/4552-8-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/4552-9-0x00007FFF8A443000-0x00007FFF8A445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tkvR22RP53NB.exe

MD5 4a99afd6ed76b99078df204b18a8b896
SHA1 f31f5bc1af96226972ccb4f09f31e951bf8c8c50
SHA256 ef798a02a3eb5140e2cf2f4a5cc1baa245c94df5a355e26fb5e1371f7f832473
SHA512 79d7fe86efd6624e78af1bdd89713ccf1a0de364ce87a1b1faa904643d5efe003e2083134cd99f78dde26c4587cee6fa8fa02153cbd24a452c49a1e95d94c6d4

memory/856-15-0x0000000002C40000-0x0000000002D40000-memory.dmp

memory/856-16-0x0000000000400000-0x000000000044E000-memory.dmp

memory/856-17-0x0000000007100000-0x0000000007146000-memory.dmp

memory/856-18-0x0000000000400000-0x0000000002BD4000-memory.dmp

memory/856-19-0x0000000007170000-0x0000000007714000-memory.dmp

memory/856-20-0x0000000007770000-0x00000000077B4000-memory.dmp

memory/856-26-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-32-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-84-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-82-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-80-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-78-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-76-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-74-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-70-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-68-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-66-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-64-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-62-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-60-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-58-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-54-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-52-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-50-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-48-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-46-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-44-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-43-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-38-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-36-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-34-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-30-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-28-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-72-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-56-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-40-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-24-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-22-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-21-0x0000000007770000-0x00000000077AE000-memory.dmp

memory/856-927-0x0000000007950000-0x0000000007F68000-memory.dmp

memory/856-928-0x0000000007FF0000-0x00000000080FA000-memory.dmp

memory/856-929-0x0000000008130000-0x0000000008142000-memory.dmp

memory/856-930-0x0000000008150000-0x000000000818C000-memory.dmp

memory/856-931-0x00000000082A0000-0x00000000082EC000-memory.dmp

memory/856-932-0x0000000002C40000-0x0000000002D40000-memory.dmp

memory/856-933-0x0000000000400000-0x000000000044E000-memory.dmp

memory/856-935-0x0000000000400000-0x0000000002BD4000-memory.dmp