Malware Analysis Report

2024-11-13 17:38

Sample ID 241110-bz9l4swhrf
Target 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c
SHA256 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c

Threat Level: Known bad

The file 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

RedLine payload

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:36

Reported

2024-11-10 01:38

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe
PID 1892 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe
PID 1892 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe
PID 4600 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe
PID 4600 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe
PID 4600 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe
PID 1436 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe
PID 1436 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe
PID 1436 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe
PID 4460 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe
PID 4460 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe
PID 4460 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe
PID 3992 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe
PID 3992 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe
PID 3992 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe
PID 3992 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe
PID 3992 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe

"C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe

MD5 da3ea7e226940fee5fc7178bb492d9ce
SHA1 bdcc29815955aa75078117af70fe36bc5b55d3b6
SHA256 206d34102b5b967c2a7849aa8a15366b9ff75d71461e8aa345ee1719e3aa1bd0
SHA512 2ce624302868ba2a47153ab300a690b40f04c180f18f158c0766ffd3463179e94c5af6d18f296c21051cc6f49fce350e20bf14cc10c5dc549160c91fe8ee3355

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe

MD5 84bd9e160f5016a9b104a0f8034a37d5
SHA1 727c79bf87d56065b1921753951eef050536ae17
SHA256 63f2f5ec4968f5f7ed0c81dbab413304619dbe579e7bcf4be8ce58341f4654cf
SHA512 4cb0b837dee1a3647bea72f9cad52b8412cf84d6239a33daa737e88a0d24949949682f83f7093d1106e0a48eed46aa4f1d304d191cd163cbb3b19d95b97cdefc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe

MD5 12b2f87d938dec3998886646b2cb07c9
SHA1 59ebda704fdcf6cc57599fd40bf8677748a87d5c
SHA256 2b857239536a2a13240f9f9b677810208080db204aa13642cc9334a2b4049920
SHA512 64d8374af979ea249dd00e7ebb23b4ef281466360df97984e50afd432b9a71e9915391ace619dd6167e2953db693dba921319cf223ebdc2f0456e94b7a5ec154

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe

MD5 14fa9adf5dbe2ffb322f454764fbb83d
SHA1 90493b4527a3bed3b3b9d60fb36ee94cb54cdfbc
SHA256 1f04765ff4dbcced5b11791811c7aec4748fed97ebb4c072264284cce14cf82d
SHA512 76b1cfe51335cb1a9d5adb5b1b26d0ad953d890e6a488ed946b4f694a242b3f8e193942a4d9fd0c09135b90e9e1b6a63d3d950c6f23a21d6423befee915f3b59

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe

MD5 afae7443f98357568ac8c737e126de85
SHA1 47589a3dbf97c4e156b924cc23073c6eeb35b4d8
SHA256 a1f11bec33d19ceb9bc84ec09cb169f7da9234ec13b6c944f697139bc03869f4
SHA512 ee5437c4f8ad201ded0ffdc9745ad903beb34fb3daebdf16bc35b1bd7f4a4724a2ef8d21c2dfc4a52dad22bf9442486c1e98e95ae4a69eaed53977fd06393b9f

memory/3788-35-0x0000000000230000-0x000000000023A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe

MD5 df8b658ff430e07a3083de9d55e38d9f
SHA1 a1c69254ba895096f75660ca5c9c09f46486e65f
SHA256 885045b17ae6220ea794be50c2290b1c771323b5ff3680879e7d2bd8d1576a74
SHA512 ce534ec18d6e3f3f30a21c0749818ae89895281164262fe118610f4609d98d78f3164659cc8114d2d4767eff56cb446a118b72488982989c0e722fff8bcdae8a

memory/2176-41-0x0000000002630000-0x0000000002676000-memory.dmp

memory/2176-42-0x0000000004EB0000-0x0000000005454000-memory.dmp

memory/2176-43-0x00000000027F0000-0x0000000002834000-memory.dmp

memory/2176-45-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-44-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-107-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-105-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-103-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-101-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-99-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-97-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-95-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-93-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-91-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-89-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-85-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-83-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-81-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-79-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-77-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-73-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-71-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-69-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-67-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-65-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-61-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-59-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-57-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-55-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-53-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-87-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-75-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-63-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-51-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-49-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-47-0x00000000027F0000-0x000000000282E000-memory.dmp

memory/2176-950-0x0000000005460000-0x0000000005A78000-memory.dmp

memory/2176-951-0x0000000004D20000-0x0000000004E2A000-memory.dmp

memory/2176-952-0x0000000004E60000-0x0000000004E72000-memory.dmp

memory/2176-953-0x0000000005B80000-0x0000000005BBC000-memory.dmp

memory/2176-954-0x0000000005BC0000-0x0000000005C0C000-memory.dmp