Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-ccj9dawmfv
Target 42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00
SHA256 42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00

Threat Level: Known bad

The file 42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00 was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:55

Reported

2024-11-10 01:58

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe

"C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe

MD5 c45d272e9c03288c29f868654bc3dc58
SHA1 358fe619181b013e297cb59a6707137f0ab23a08
SHA256 9fb867b5cd98eb0dd0924ca8e14c5f9a1842daf0f6dfeb68c11f1f69bb04b5b0
SHA512 99c976668d00811192b467486b495b66a908cee8b27f72d585ee047d28a1023c5cbe511e1e7aedd8206583b2e417b5767987c58edee2d25a0b233eec78e23553

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe

MD5 e3d7138cfc827d8e118dc9cd38ebe29f
SHA1 114737f21a5ad482ea4622c64643139805b5dd4e
SHA256 110592072c1ec7230e3b37d9aa59f99e04a64540a015d42903d5f96c3b354492
SHA512 d8df79d01af58228c4ffba79b6e74ff1621a8558be8f25106422fb235ff9455aa02a11b90846032d1403c9431f9a185709eef900f8f82a6139c978e8d4346303

memory/4164-14-0x00007FFA892F3000-0x00007FFA892F5000-memory.dmp

memory/4164-15-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

memory/4164-16-0x00007FFA892F3000-0x00007FFA892F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe

MD5 79645f4c4f6de9b74ca0120b7a2ff217
SHA1 e093a94b5415be8ebbc90a52807b811eb339823e
SHA256 cfa90800c04f1f257f52d7f8d63b001b37796b3f1da67b271d6c76feeda8306a
SHA512 13ae7f81ffa0ff1196334f870cdcaa7ac46be0bd6de36caceda5251b77a3dac0ccc8b33dc2ec7ca4a06bb96bf5017d68ea74ba373ebcdebf0e9318bb11803cd0

memory/4916-22-0x0000000004B20000-0x0000000004B66000-memory.dmp

memory/4916-23-0x00000000073D0000-0x0000000007974000-memory.dmp

memory/4916-24-0x0000000004CB0000-0x0000000004CF4000-memory.dmp

memory/4916-28-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-37-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-89-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-68-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-66-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-62-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-60-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-56-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-54-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-52-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-50-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-48-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-42-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-41-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-38-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-34-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-32-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-30-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-46-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-26-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-25-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/4916-931-0x0000000007980000-0x0000000007F98000-memory.dmp

memory/4916-932-0x0000000007FA0000-0x00000000080AA000-memory.dmp

memory/4916-933-0x0000000007300000-0x0000000007312000-memory.dmp

memory/4916-934-0x0000000007320000-0x000000000735C000-memory.dmp

memory/4916-935-0x0000000007370000-0x00000000073BC000-memory.dmp