Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-cclr7sxcjb
Target 3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6
SHA256 3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6

Threat Level: Known bad

The file 3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:55

Reported

2024-11-10 01:58

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe

"C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe

MD5 269c061be40bf72e5dbd3bb8de268247
SHA1 f64e5b35e55392fe1660f131f3fe009d9bccee86
SHA256 6124e455bd63ce14f87c0d1fde1ea6803cbb1b8b1c90dc60d985c675176da2f2
SHA512 ddde42c14999510ff8ff6d46369eabb7bbe805fec270ccdacb4eea6a149f9a7bccf965c470bc8fd33af119653fc322b49cfea08ae929fb8d3e81c8745cd7798c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe

MD5 35c7b776264521bd51fda9105abf1923
SHA1 d700beb66e08351e9426da6abb284180c059f906
SHA256 882b0bc69eef92d84be66182f3d509dc04e158173db7695acf177d4736cddefa
SHA512 48e1cb6944e1f1ef8ce1af2b74841997162bd8c1a6a6d669af8100c978228a7a4badaf6081749ab9749222c1a58a394f15bb4b8d9bc10295723b5b7ef6103c1c

memory/1664-14-0x00007FFE57DD3000-0x00007FFE57DD5000-memory.dmp

memory/1664-15-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

memory/1664-16-0x00007FFE57DD3000-0x00007FFE57DD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe

MD5 e2c078b911b9cac76de7be9ac1825cc2
SHA1 e1e23a45313bb6263188da66b9043ef1e915f0b7
SHA256 bb331c5b18d82bc84daa4d06ab1246d0c1fdeb83131a1ac63995ebd9d3ff810f
SHA512 8bcf57fbf5f8a94e35efc65d0b22143287b6d5f1a178e5dc7944896cf9895eb4f8e3bb182f7bc3f214b9efb4c42ac969970759cf17407c49f61ea9cc456fa1a6

memory/3360-22-0x0000000004AA0000-0x0000000004AE6000-memory.dmp

memory/3360-23-0x0000000004C00000-0x00000000051A4000-memory.dmp

memory/3360-24-0x0000000004B20000-0x0000000004B64000-memory.dmp

memory/3360-28-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-40-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-88-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-86-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-84-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-82-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-80-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-78-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-76-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-72-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-70-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-69-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-66-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-64-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-62-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-60-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-58-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-56-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-54-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-50-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-48-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-46-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-45-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-38-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-36-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-34-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-32-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-30-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-74-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-52-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-42-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-26-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-25-0x0000000004B20000-0x0000000004B5F000-memory.dmp

memory/3360-931-0x00000000051B0000-0x00000000057C8000-memory.dmp

memory/3360-932-0x00000000057D0000-0x00000000058DA000-memory.dmp

memory/3360-933-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/3360-934-0x0000000005900000-0x000000000593C000-memory.dmp

memory/3360-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp