Malware Analysis Report

2024-11-13 17:38

Sample ID 241110-bz6kfswgll
Target 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e
SHA256 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e

Threat Level: Known bad

The file 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

Detects Healer an antivirus disabler dropper

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:35

Reported

2024-11-10 01:38

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe

"C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe

MD5 453caf4621b7526ca21145b49d2182ba
SHA1 c3635af0cba2e6116e3929d5f7709256ee48c83c
SHA256 6e901c14b05d47af830581d7cd25acb6f700fe4acd93c4308b6c827423153608
SHA512 299fa64b1aa8a66a53f58eb47df810d5bf3eaf24401ab409a16504042a506334bafe996668d0398de95dd83e820242f0aa07a489b7cdb5cb8684f513aaa3a0f2

memory/1416-14-0x00007FFBA03A3000-0x00007FFBA03A5000-memory.dmp

memory/1416-15-0x00000000002E0000-0x00000000002EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe

MD5 b78b5dc0c84dc01601e6c148f8630fbd
SHA1 a60b5a7c82be01561245f1c7d4f3fb5db3b0d0df
SHA256 ae8d23ea29924ba92b9bff0a42c084d7a9099b3a3a7323f0452f88faa210ef7b
SHA512 7d3189336a486852068fb968ede4c90e0dd6006f341c28ea1a26b5f299d354d0dd1612ff5d88340f802da613188186b14da0a0b0ba76cfc40645ca201d56e12f

memory/1416-16-0x00007FFBA03A3000-0x00007FFBA03A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe

MD5 fbe17bf3c93046aa153d79a8b2da1ff9
SHA1 8d46ee807f4e5e2e8e8e49704af4f09be8ef2ea3
SHA256 bdfd37922ec2f475fd64694052767b7e81c5994570e967f0a3536936849de712
SHA512 de1f1cf28f4b5bd9765d02b9981425401563a5480843b8204b12cfbd37fd3773d5d613d179ed3331e3a970813d1d49614ee24c1d215acea129af813b574530e9

memory/2668-22-0x00000000027E0000-0x0000000002826000-memory.dmp

memory/2668-23-0x0000000004F60000-0x0000000005504000-memory.dmp

memory/2668-24-0x0000000004E20000-0x0000000004E64000-memory.dmp

memory/2668-32-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-30-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-28-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-26-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-25-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-46-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-88-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-86-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-85-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-82-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-81-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-78-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-74-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-72-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-70-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-66-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-64-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-62-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-60-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-58-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-56-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-54-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-52-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-50-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-44-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-42-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-40-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-38-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-36-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-34-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-76-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-68-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-48-0x0000000004E20000-0x0000000004E5F000-memory.dmp

memory/2668-931-0x0000000005510000-0x0000000005B28000-memory.dmp

memory/2668-932-0x0000000005B30000-0x0000000005C3A000-memory.dmp

memory/2668-933-0x0000000005C40000-0x0000000005C52000-memory.dmp

memory/2668-934-0x0000000005C60000-0x0000000005C9C000-memory.dmp

memory/2668-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp