Malware Analysis Report

2024-11-13 17:38

Sample ID 241110-bzzf5swhqh
Target 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da
SHA256 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da

Threat Level: Known bad

The file 479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Healer

RedLine payload

Healer family

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:35

Reported

2024-11-10 01:38

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe
PID 1076 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe
PID 1076 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe
PID 3244 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe
PID 3244 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe
PID 3244 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe
PID 3244 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe
PID 3244 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe
PID 3244 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Processes

C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe

"C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3688 -ip 3688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe

MD5 f6828c152c21cfcdfd572d03d2e901e8
SHA1 3911590ba4c5c5351cf96fed746e1abd9c462161
SHA256 5a391db9a5dc9f37a0561df2ac04bc2208b0a287d34ccecba1bf95cf6badcb40
SHA512 e6d732d313845833cf0c8d63d3c814b7bdc9c9bf2eb3264e1f836d2b4c539792b2a036b5e0bcf1714eaf75872ae14fff07c38176b994fb566a02b3b1152e90af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

MD5 8f269d1887866c15a539a3d99424f835
SHA1 d219c881df5ec78d07dac6a9db134a7f877880fb
SHA256 c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04
SHA512 2866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3

memory/3688-15-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

memory/3688-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/3688-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3688-18-0x0000000004AC0000-0x0000000004ADA000-memory.dmp

memory/3688-19-0x00000000074E0000-0x0000000007A84000-memory.dmp

memory/3688-20-0x0000000004F20000-0x0000000004F38000-memory.dmp

memory/3688-21-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-46-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-44-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-42-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-40-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-38-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-37-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-34-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-33-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-48-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-30-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-28-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-26-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-24-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-22-0x0000000004F20000-0x0000000004F32000-memory.dmp

memory/3688-49-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

memory/3688-51-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/3688-50-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/3688-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3688-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

MD5 778dc79ee53274c98fe7a1637513505e
SHA1 4f7cbde5eb5ff2de0c3ff192bc797a15095c7e80
SHA256 a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e
SHA512 602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2

memory/3688-54-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/956-60-0x0000000007180000-0x00000000071BC000-memory.dmp

memory/956-61-0x00000000077E0000-0x000000000781A000-memory.dmp

memory/956-87-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-95-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-93-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-91-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-89-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-85-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-83-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-81-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-79-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-77-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-75-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-73-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-69-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-67-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-66-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-71-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-63-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-62-0x00000000077E0000-0x0000000007815000-memory.dmp

memory/956-854-0x0000000009CE0000-0x000000000A2F8000-memory.dmp

memory/956-855-0x000000000A340000-0x000000000A352000-memory.dmp

memory/956-856-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/956-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/956-858-0x0000000006CB0000-0x0000000006CFC000-memory.dmp