Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-cc635szmcr
Target 2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc
SHA256 2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc

Threat Level: Known bad

The file 2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

Detects Healer an antivirus disabler dropper

RedLine payload

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:56

Reported

2024-11-10 01:59

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe
PID 3736 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe
PID 3736 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe
PID 3632 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe
PID 3632 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe
PID 3632 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe
PID 3632 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe
PID 3632 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe
PID 3632 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe

"C:\Users\Admin\AppData\Local\Temp\2a5af417adf1ff89e6892cc1b97a0d8dafae100c8bb4932b285defc529ec9adc.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899885.exe

MD5 1be153fb668714ac354a40138fdda8b8
SHA1 3be8d085f87dc5e71e1776c329b1ff93d29665d2
SHA256 94778da5b727cad2cbc28811a518082b682fa4ba2546b611f395e2a3f4c708c9
SHA512 27d5747a82b4ae02a27073e99aec2905ae7e9baf1c6a70829b915aad703f9b2853ef6bb7376b07640d017b868042892b8733f315aa5112b30f9a50ed7d3dca2d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47759559.exe

MD5 b4c654b18a128cb94ff6a795e28c9095
SHA1 912e0f26390b655e16b38cb2f9437603e0355388
SHA256 125d3171d08e1fd5727192dca3b160e445fa7f297ee5f54b389a6a90e1224180
SHA512 ec5a165fd91c61bf2c4d352f00eae9fd83b30d298a05cb18afb1ba06e83a97d3603b56ddcb7830f7aa0dd3aadb4d3b2e254f4f696b8bad76a9536fb2194eb960

memory/3660-15-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/3660-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3660-16-0x0000000000970000-0x000000000099D000-memory.dmp

memory/3660-18-0x0000000000400000-0x0000000000807000-memory.dmp

memory/3660-19-0x00000000025F0000-0x000000000260A000-memory.dmp

memory/3660-20-0x0000000005180000-0x0000000005724000-memory.dmp

memory/3660-21-0x0000000002980000-0x0000000002998000-memory.dmp

memory/3660-31-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-49-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-47-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-45-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-43-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-41-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-39-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-37-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-35-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-33-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-29-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-27-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-25-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-23-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-22-0x0000000002980000-0x0000000002992000-memory.dmp

memory/3660-50-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/3660-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3660-54-0x0000000000400000-0x0000000000807000-memory.dmp

memory/3660-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055686.exe

MD5 c753aa68e1f5e14ba34900f291f73ff6
SHA1 2860c1a8005d7a74fe327229c82511f286de755b
SHA256 36f6fa5839bf50a9f51506e66b9e7d8c861467ac5d83e23b34242cb65b6ef7bd
SHA512 c6a73e2d87551123d5277511a807294044ccad3b36f45642a7a5490f4c55c202056808428ccba1d6c5dc52d0cf4bec932736d385af017ff129f67afe1d0b19ab

memory/1300-60-0x00000000028D0000-0x000000000290C000-memory.dmp

memory/1300-61-0x0000000002AB0000-0x0000000002AEA000-memory.dmp

memory/1300-69-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-75-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-73-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-71-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-95-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-87-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-79-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-67-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-65-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-63-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-62-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-93-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-91-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-90-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-85-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-83-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-82-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-77-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

memory/1300-854-0x00000000079C0000-0x0000000007FD8000-memory.dmp

memory/1300-855-0x0000000005040000-0x0000000005052000-memory.dmp

memory/1300-856-0x0000000007FE0000-0x00000000080EA000-memory.dmp

memory/1300-857-0x00000000080F0000-0x000000000812C000-memory.dmp

memory/1300-858-0x00000000025C0000-0x000000000260C000-memory.dmp