Malware Analysis Report

2024-11-13 17:38

Sample ID 241110-bzk9hswkc1
Target 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16
SHA256 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16

Threat Level: Known bad

The file 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer

RedLine

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:34

Reported

2024-11-10 01:37

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4524 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe
PID 4524 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe
PID 4524 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe
PID 4128 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe
PID 4128 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe
PID 4128 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe
PID 3972 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe
PID 3972 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe
PID 3972 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe
PID 1764 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe
PID 1764 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe
PID 1764 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe
PID 3300 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe
PID 3300 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe
PID 3300 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe
PID 3300 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe
PID 3300 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe

"C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe

MD5 048f771b4353aa5fdbe6c7955373103c
SHA1 38ecfce70ebbed9eff0663ae03bf2d04c0fe6bb6
SHA256 c7714b31c9949bb74db0c3b827a4ce92e09d11079e060cab51bfa63eb5bb2e32
SHA512 f1aa442dcc3d38541f23b3d152c8ac34be546339d76f3e2cd73c79ac30e6e90828f4376889159b1c19901a8a933ffa753d08ff6937cdbff286435cf717800cd4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe

MD5 0e2f5e078648c4f512c20edac192bdde
SHA1 a38c856089eef1e57a896201eaef9f935efd66fb
SHA256 5ae1550cc463ec85b1f03764851d71d20d4c6504d543d7c54421f864ab3a095c
SHA512 d93de06d5eccd547702247b3cfc97dffaf4935ec92d1cb48a7f18253bba2a439f1e133ca6078735f6036e1ff84d62250bad1de238b218516c754c97dbb6f2a0c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe

MD5 967a6efc047ce2bfedd58205b16eb856
SHA1 f0631d821537eac91fc8acf9c9e164d1ebc385ac
SHA256 25899231646e6f9901c9ac86943c2332d92dd28bd333b409e2387f18e0a8d5a3
SHA512 5683eafe53188f65669a7c609273381699b1538d7904dd4fc76a7b93a45004cdb1887ac161c211f0578e53e6ca8e2db08b64502bc252b7087c4eab037b33a31a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe

MD5 35eec148d062727beca64806452f66f2
SHA1 5b7a974b429d5104051f4f7ab17f4da9cdae87e9
SHA256 390d2fc4089b2666bfa9e5fc26c6006496a0fa16ba855dc251abf3de9103ad1a
SHA512 0687a63c853ee4a75fa3811550c92431c16443bfaa040fca1f5b2c02584856989aced5fef379c5ddf4b4bbaa222e3bd6e46b792c724c232a7ec7050fd90892fe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe

MD5 606f1523d611ae09f551005f77292f89
SHA1 898e7b0d71b8c3dc5cf76300ff7ab34d8179103f
SHA256 15707a4830f66bdef3567108793cdacb17a240955f8210d44bd6e1d6e9f5600d
SHA512 6cc318274ac9e74b0e52b7d6593b69c33043c192733ba158fddb70047e831b678d74687a3cc9d80ff3325c58c4190ad1a7461243de0acdb8c38b0aba487d3ec9

memory/1872-35-0x0000000000770000-0x000000000077A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe

MD5 1d723ff94958004611f8d9036d32a484
SHA1 494b2b1df04dd00bd4a6582ca026b45ed1e26f5e
SHA256 ce58c79e2d8396ebc000387ba86ec87273d28bd7dfa8310c49c59b22c7de42af
SHA512 9738bf0e92ad9b1f526a48a4262410186a961e0aa9e04ef1ecc4769b29d92339f46e331a65810ce72b27df319260ac8aba0636742690e95bc34f6d59fbf2ff61

memory/3732-41-0x0000000004AF0000-0x0000000004B36000-memory.dmp

memory/3732-42-0x0000000007240000-0x00000000077E4000-memory.dmp

memory/3732-43-0x0000000004CB0000-0x0000000004CF4000-memory.dmp

memory/3732-47-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-61-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-107-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-105-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-101-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-99-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-95-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-91-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-87-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-83-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-79-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-75-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-73-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-71-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-69-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-67-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-65-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-59-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-55-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-53-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-51-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-49-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-103-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-45-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/3732-950-0x0000000007800000-0x0000000007E18000-memory.dmp

memory/3732-951-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/3732-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/3732-953-0x0000000008100000-0x000000000813C000-memory.dmp

memory/3732-954-0x0000000008150000-0x000000000819C000-memory.dmp