Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bwdehawfnr
Target 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196
SHA256 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196
Tags
healer redline rouch discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196

Threat Level: Known bad

The file 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196 was found to be: Known bad.

Malicious Activity Summary

healer redline rouch discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNf4638mF.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNf4638mF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOw90YK94.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOw90YK94.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe

"C:\Users\Admin\AppData\Local\Temp\34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNf4638mF.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNf4638mF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOw90YK94.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOw90YK94.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNf4638mF.exe

MD5 c0c33cf810fdb47cb4721224d986e7a6
SHA1 ccebf3c8038d4dfd16910762e50dff58855c1635
SHA256 49df001768c7bd2b08299c34dfff0cc0abf619877895074e1755d8ed40a86246
SHA512 a79751661ed9a7a62eabe60a46839240ae3e6374d2530f0baa598416d5981f9267eb23949408794f7c8ed63e60825aa78dc76c3e1bdb18bea41a8574df487573

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe

MD5 54f85f7d6f119c4c6ce62bb6003e0d5d
SHA1 e39a4faa69ce89c2f5ceca8c7579fbe9b46f12e0
SHA256 d4c2342989b2b4efc2771685d7231e943881c987fb564ce155c32a7e16722d4b
SHA512 cfebb160c38ea3ca3e20cec4ac52f69c67fd7ed7e7d2cbcd598c3e0e608a0e397e3b7ca835de1db2c8621da0bcc36643694b484090d1dbee433058439694e543

memory/2928-14-0x00007FFDEECB3000-0x00007FFDEECB5000-memory.dmp

memory/2928-15-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

memory/2928-16-0x00007FFDEECB3000-0x00007FFDEECB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOw90YK94.exe

MD5 a3da8951bb23f305fd251958e8535aa4
SHA1 ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54
SHA256 786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a
SHA512 be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d

memory/1856-22-0x0000000004C70000-0x0000000004CB6000-memory.dmp

memory/1856-23-0x00000000071D0000-0x0000000007774000-memory.dmp

memory/1856-24-0x00000000077C0000-0x0000000007804000-memory.dmp

memory/1856-62-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-72-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-88-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-86-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-84-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-82-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-78-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-76-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-74-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-70-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-68-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-66-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-64-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-60-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-58-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-57-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-52-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-50-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-48-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-46-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-44-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-42-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-40-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-38-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-36-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-32-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-30-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-28-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-80-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-54-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-34-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-26-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-25-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/1856-931-0x0000000007800000-0x0000000007E18000-memory.dmp

memory/1856-932-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/1856-933-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/1856-934-0x0000000008000000-0x000000000803C000-memory.dmp

memory/1856-935-0x0000000008150000-0x000000000819C000-memory.dmp