Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bwp4aswjf1
Target 9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841
SHA256 9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841

Threat Level: Known bad

The file 9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Healer

Healer family

RedLine

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:32

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe
PID 3084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe
PID 3084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe
PID 2880 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe
PID 2880 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe
PID 2880 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe

"C:\Users\Admin\AppData\Local\Temp\9ebb32ade38c26f898c85f6108e0e4efb679ddb4b85c00e601a321477cf31841.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930180.exe

MD5 146b430488b9019f43dbd4aabe4e3580
SHA1 347f975bc4a60ab1fdbb5a573520a7b7edac8510
SHA256 01a9efcf5136680a01c2c39f7a008ced81553d5b7d3bbca28e6ceee8e6ff0f7a
SHA512 d8262db4822d7a2c4803aee02a98afab2eda8954eecc6edee7311b190b30a8c3b3a27bfbfb1b9bf27fb537325e812f346d286fb64f3d4ec6ea30999b357ba977

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr926553.exe

MD5 bcccee8d9bb4f7e28d40107cde510fe5
SHA1 c6371f05f9d8b4f6234bfb2a460296d8c0853d16
SHA256 332a9bf4320d706d72de0459810afcc75bfadbcb86749deefff7990acd04ed49
SHA512 d3f970a293856034004ac55e784591d597971baab4f7319fdca9a354761e28f7dbbc59914913fb80285424a9208118017871d1458ea83b7a0160539177e0ed9a

memory/4840-15-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/4840-16-0x0000000002C80000-0x0000000002CAD000-memory.dmp

memory/4840-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4840-18-0x0000000004A30000-0x0000000004A4A000-memory.dmp

memory/4840-19-0x0000000007220000-0x00000000077C4000-memory.dmp

memory/4840-20-0x0000000004C90000-0x0000000004CA8000-memory.dmp

memory/4840-22-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-21-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-46-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-42-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-40-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-38-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-36-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-34-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-32-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-30-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-28-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-26-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-24-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4840-49-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/4840-50-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4840-51-0x0000000002C80000-0x0000000002CAD000-memory.dmp

memory/4840-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4840-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu953675.exe

MD5 4b7a4225b585ed56fbc8534b086a8f10
SHA1 68de33fc5c609b781ce550e31feed2034b3cf0fe
SHA256 9c5f3650f593f04def1c308938f85b148222db388ba62810f2cd16cbfb340e23
SHA512 b5ddf7220fcb314177a57227b3ccdeea6e379bc416caf034a879dd41859214195ceb12f9fa73f9415689d7c058f4dfeb65a098f269aa86537929953fe4ba557e

memory/4840-54-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/3076-60-0x0000000004B00000-0x0000000004B3C000-memory.dmp

memory/3076-61-0x0000000007210000-0x000000000724A000-memory.dmp

memory/3076-67-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-75-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-93-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-91-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-89-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-87-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-85-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-83-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-81-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-79-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-77-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-73-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-71-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-69-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-65-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-63-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-95-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-62-0x0000000007210000-0x0000000007245000-memory.dmp

memory/3076-854-0x0000000009DC0000-0x000000000A3D8000-memory.dmp

memory/3076-856-0x000000000A3E0000-0x000000000A4EA000-memory.dmp

memory/3076-855-0x00000000072F0000-0x0000000007302000-memory.dmp

memory/3076-857-0x0000000007330000-0x000000000736C000-memory.dmp

memory/3076-858-0x00000000048A0000-0x00000000048EC000-memory.dmp