Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-cb7naawmex
Target 24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49
SHA256 24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49

Threat Level: Known bad

The file 24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49 was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Redline family

Healer family

RedLine

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:55

Reported

2024-11-10 01:57

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255499.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe
PID 2400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe
PID 2400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe
PID 4584 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe
PID 4584 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe
PID 4584 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe
PID 4584 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe
PID 4584 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe
PID 4584 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe
PID 3320 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe C:\Windows\Temp\1.exe
PID 3320 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe C:\Windows\Temp\1.exe
PID 3320 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe C:\Windows\Temp\1.exe
PID 2400 wrote to memory of 5844 N/A C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255499.exe
PID 2400 wrote to memory of 5844 N/A C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255499.exe
PID 2400 wrote to memory of 5844 N/A C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255499.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe

"C:\Users\Admin\AppData\Local\Temp\24900801bd600871b4350fbe017003942b3eec78ce8b1ae36dbd49a683c3dd49.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2836 -ip 2836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3320 -ip 3320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255499.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255499.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492045.exe

MD5 33a5c8407ff2e0a027dc731739cb1b7c
SHA1 7fe3170b56bdbdb840f1d6f68b636eabc6385e9d
SHA256 9677aa99ecb916b2be8861f2ae57b3ce9301a4d3cd2581eb8e69ea54d91270de
SHA512 df350357f07040ef05883c9846eb91096c7f344f2f2dbf8a2b2f644cc5754116d31e9a65327ff75b2471af2f7c63027fbe5650293f2e42710f3053f66c4dc14b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7121.exe

MD5 72588ad603def2177af0d721b0c580ef
SHA1 9af82951214586d9e7f4fc3bdccf9a8e86420003
SHA256 98a5e923e02b3ac9b33bd84b6e8e1ce88505754c565a52a4df2b82e56e7bdfb9
SHA512 d3cf0c9d6dc8817ea3ca288c2a11168aa67cffaf89687c5d4240e94d76167e1843a82dbb22203e4fa686927b1c3f892134aa5579eb6ae12c3213d968f431e2a0

memory/2836-15-0x0000000000720000-0x0000000000820000-memory.dmp

memory/2836-17-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2836-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-18-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2836-19-0x00000000023B0000-0x00000000023CA000-memory.dmp

memory/2836-20-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/2836-21-0x0000000004A40000-0x0000000004A58000-memory.dmp

memory/2836-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-37-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-27-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-25-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-23-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-22-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2836-50-0x0000000000720000-0x0000000000820000-memory.dmp

memory/2836-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-54-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2836-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8194.exe

MD5 c9c1c4fc1127adb061926775bd9df811
SHA1 e86aa238c9825ff1059f9ea7f1cec3571149792b
SHA256 a54c53830642728fbfd9a590c06fa3cc7c68a5173b6dab1723748d264981e0f1
SHA512 59445c6248038f8f04551e130b9fa7935249403b58a43ee3f97ff96bb5e3fb0aeaa0a183cd07a9af9067b1d2f90e474e856ca6ffc0b0548085480d1945e573d1

memory/3320-60-0x00000000049E0000-0x0000000004A46000-memory.dmp

memory/3320-61-0x00000000051B0000-0x0000000005216000-memory.dmp

memory/3320-65-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-75-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-95-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-93-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-91-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-89-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-87-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-85-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-83-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-81-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-77-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-79-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-73-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-71-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-69-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-68-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-63-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-62-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3320-2142-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5328-2155-0x00000000007C0000-0x00000000007F0000-memory.dmp

memory/5328-2156-0x0000000002910000-0x0000000002916000-memory.dmp

memory/5328-2157-0x0000000005750000-0x0000000005D68000-memory.dmp

memory/5328-2158-0x0000000005240000-0x000000000534A000-memory.dmp

memory/5328-2159-0x0000000005150000-0x0000000005162000-memory.dmp

memory/5328-2160-0x00000000051B0000-0x00000000051EC000-memory.dmp

memory/5328-2161-0x00000000051F0000-0x000000000523C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255499.exe

MD5 f4c99dd40e15b75b764c92d01ca33804
SHA1 fe006831474f68bf1b1d767eadc8e571d552b6af
SHA256 00a626658bf843444bbda6f15be39068fe6885ea79163e4b69d00a1fe22a54ad
SHA512 90dbb84bdcf7011d1fe27b848b3d3f72030d359acb4e36c7d74942dde204debeba2d037b81d86e197cb4bd9d622a392658bb3bce306a28beddf49cfe20957b02

memory/5844-2166-0x0000000000380000-0x00000000003AE000-memory.dmp

memory/5844-2167-0x0000000004B60000-0x0000000004B66000-memory.dmp