Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-ccf7qawmft
Target 134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402
SHA256 134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402

Threat Level: Known bad

The file 134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Redline family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:55

Reported

2024-11-10 01:58

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe
PID 3040 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe
PID 3040 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe
PID 3300 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe
PID 3300 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe
PID 3300 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe
PID 3300 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe
PID 3300 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe
PID 3300 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe

Processes

C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe

"C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3636 -ip 3636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe

MD5 aecaaeac8e1c5c94e4522e291adc4e35
SHA1 7c2d438c4a297c217b6d35badde64949276fcdb7
SHA256 00168b3d564a4ec16c914d095ae8d1a1c40de7242f796051ea59096d67184715
SHA512 579bf65d6a276b3b03b77feeac7e815bc7734ce53c36c4a8faf696ec4ecc6187600ece868fdd7c0b164b85694d2b5644cf186622f20ef67500ab54ec955abe12

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe

MD5 138f6b3875d4716ddf212d6b359efb90
SHA1 4304968305e09c77e4bad1bf3cbd88a6771a268b
SHA256 c2f43c97f0a54185caad0730e22df9c7b99209b9c5cb6d4db1a2011bb4217ba3
SHA512 286b086d1428fefa71399059c3e61887bdc6dd4f0d49fa93df8a0eec0281e53f5775d628caa42e9e506728c5759b0b4cd2a307797856b3482db8878efbe21f73

memory/3636-16-0x0000000002C00000-0x0000000002C2D000-memory.dmp

memory/3636-15-0x0000000002D00000-0x0000000002E00000-memory.dmp

memory/3636-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3636-18-0x0000000004A70000-0x0000000004A8A000-memory.dmp

memory/3636-19-0x00000000072D0000-0x0000000007874000-memory.dmp

memory/3636-20-0x0000000007250000-0x0000000007268000-memory.dmp

memory/3636-32-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-48-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-34-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-46-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-44-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-42-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-40-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-38-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-36-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-30-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-28-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-26-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-24-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-22-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-21-0x0000000007250000-0x0000000007262000-memory.dmp

memory/3636-49-0x0000000002D00000-0x0000000002E00000-memory.dmp

memory/3636-50-0x0000000002C00000-0x0000000002C2D000-memory.dmp

memory/3636-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3636-51-0x0000000000400000-0x0000000002B75000-memory.dmp

memory/3636-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe

MD5 e94aa687b6f7be8416cb6cebabd6cb14
SHA1 517ed385661862c52fb6c116ba484bbcae749833
SHA256 e45dfb48fccc021ec9746c64a1dc8ca73fe8a74cad1f84f35a2b332746c03dae
SHA512 554ca28d2b7a28e01c5e521a6cbf46827778b31f1709e9742216c0c3e9eb5cb760050ea2d67d03f9a451df2d72a5d96b85c98580b11d13b69ba458a64c5fe2b4

memory/3636-54-0x0000000000400000-0x0000000002B75000-memory.dmp

memory/4084-60-0x00000000049E0000-0x0000000004A26000-memory.dmp

memory/4084-61-0x0000000004D30000-0x0000000004D74000-memory.dmp

memory/4084-95-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-93-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-91-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-89-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-87-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-85-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-83-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-81-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-79-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-77-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-75-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-73-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-71-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-69-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-67-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-65-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-63-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-62-0x0000000004D30000-0x0000000004D6F000-memory.dmp

memory/4084-968-0x00000000079A0000-0x0000000007FB8000-memory.dmp

memory/4084-969-0x0000000004F40000-0x000000000504A000-memory.dmp

memory/4084-970-0x0000000005080000-0x0000000005092000-memory.dmp

memory/4084-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/4084-972-0x0000000008110000-0x000000000815C000-memory.dmp