Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-cc95sswmgt
Target a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4
SHA256 a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4
Tags
healer redline max discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4

Threat Level: Known bad

The file a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4 was found to be: Known bad.

Malicious Activity Summary

healer redline max discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

RedLine

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:57

Reported

2024-11-10 01:59

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe
PID 3076 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe
PID 3076 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe
PID 4844 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe
PID 4844 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe
PID 4844 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe
PID 516 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe
PID 516 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe
PID 516 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe
PID 1908 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe
PID 1908 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe
PID 1908 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe
PID 4084 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe
PID 4084 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe
PID 4084 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe
PID 4084 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe
PID 4084 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe
PID 4084 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe

"C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe

MD5 aed48dad6344e6d29d356c3cc9e0cb18
SHA1 194fa6fcb76807449aa3f254888a038c484c8e1e
SHA256 ecaf5bd51737dc5e0da230f30b6aa9255770804e4195bf91c53a3abb493d52ef
SHA512 1683d541a7e2505aa5162f15ef3e7ab9faeced27712fe383f686c7ff8ce4b1aa4c4d8b77ea53b3adf1eaf5f898c199ae83fd2329582de0aec3016df7b2eb49b7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe

MD5 b5981161c59380aca4ff33de28de2c83
SHA1 36b24da348c80f21aa99a2af7e992ad9df608876
SHA256 34f20ad7fcca545a786deecba411d930873c4c27e47f668ee5d216fbe1c88d01
SHA512 3f2e55f0172c6dd053ecf9091dec4b62ce0a854e982797188f8c5b658a2f6fafb88497d023e3de49f9d3d91fa37c1fe876c260cbe0ade843bc9fc2fe59846d16

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe

MD5 add569a4d6239e33a1660af86f5ee139
SHA1 16de3dacda504d2cc861b308f6d3b2d5c78da859
SHA256 ed74ce98f3e2106bcbb870ccc4bdbb319b7f65a2fe87ecd7b4e37dd33c29920a
SHA512 c25e225ed764d0ed52591e51d54211fa20e19b9548d19f801c16c93b17e07cd1335a73039a23238ce40322c275ced1fa86df2d2b9512d11ef1e533734022fbcf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe

MD5 3b07549815d63b339d03218fb8aaff07
SHA1 30a5f89639e9fe8e676da88af69f6ca922a4f971
SHA256 64cdf8696be29ee24c2aeb48540f915fe24f30ceff5894e4500e7c45c0d7e20e
SHA512 dac0c3dfa80a0562950d6615ee1dfd763992cb77662c0b8a63cdff78d6efc18acb76449a18014acf66e0dc3ee91a793b6f3b54ded6a3d1b48a1d664d4c0cb833

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe

MD5 fa19c6001f5bbb1298c2c059a31069b1
SHA1 7a58e985705dbca888a8a3d2d961e5f2e712cb4a
SHA256 49582009d982585a066ebf64ed9e93006bbc117d3ab96e5b2c6ecbb5e6e7f1c6
SHA512 def8d8799908aeb4293575765bd4c73af8be0bcc1e7e03ec1703439b881933112c503db79411c6316b489831551c5cee11aa778c688beaaeee15d6fcbd949dcc

memory/2264-35-0x00000000022B0000-0x00000000022CA000-memory.dmp

memory/2264-36-0x0000000004B60000-0x0000000005104000-memory.dmp

memory/2264-37-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/2264-63-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-53-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-65-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-61-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-59-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-57-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-55-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-51-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-49-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-47-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-45-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-43-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-41-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-39-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/2264-38-0x0000000004990000-0x00000000049A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

MD5 46725a003192b49b0ef0a4f246866fc2
SHA1 ee1e9d275b341abe4356d4237aa13a982902357d
SHA256 b99bab3adf9596c734b15db52c5846aeb328863d2b4163cde7b8f24df0c4a561
SHA512 bab655ba19ed092a6edcc245c381e8d8035e952fdbc69c636f9882ad3027b5024e948963393967acfb897059478db13019ed2de2a374766bcd0ff7fb4dcb3db7

memory/2088-70-0x0000000000160000-0x0000000000190000-memory.dmp

memory/2088-71-0x0000000004980000-0x0000000004986000-memory.dmp

memory/2088-72-0x000000000A5C0000-0x000000000ABD8000-memory.dmp

memory/2088-73-0x000000000A110000-0x000000000A21A000-memory.dmp

memory/2088-74-0x000000000A040000-0x000000000A052000-memory.dmp

memory/2088-75-0x000000000A0A0000-0x000000000A0DC000-memory.dmp

memory/2088-76-0x0000000004480000-0x00000000044CC000-memory.dmp