Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-ccna2azmck
Target af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374
SHA256 af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374

Threat Level: Known bad

The file af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Redline family

RedLine

Healer family

RedLine payload

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:56

Reported

2024-11-10 01:58

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6927975.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe
PID 1492 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe
PID 1492 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe
PID 5072 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe
PID 5072 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe
PID 5072 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe
PID 2756 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe
PID 2756 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe
PID 2756 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe
PID 1200 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe
PID 1200 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe
PID 1200 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe
PID 4836 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe
PID 4836 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe
PID 4836 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe
PID 4836 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6927975.exe
PID 4836 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6927975.exe
PID 4836 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6927975.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe

"C:\Users\Admin\AppData\Local\Temp\af66661f008a6ad682ced388c4d01f1f74d338d25bf76d8aa487973df7cf1374.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6927975.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6927975.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5300182.exe

MD5 18263ae8b0a7ae85c1f86507a24e4d4b
SHA1 928ce5dbd6c06d259bfb6a0185c71620b6117c43
SHA256 451eea66a2840ba2b25de1aec659d60d4785026dc5a4883a29c7295a51b71b3f
SHA512 f502e452234333fc051c5ef24aac76e0600bb1a8a8059f33e99a9f67c8742169cb251e15c668dd6784d4a09c23811cfe87d4bc7bf9663e1a2d53323565b6e178

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3524407.exe

MD5 033d1937a8ae44d67e69c234836a581a
SHA1 333c6bcf6bf7da369a3df82a73a7d593f4998880
SHA256 4582073d00c09e07c4af83a646a2e6d9736b45ce6e662db40f5f6ed0c80ca16e
SHA512 fa047bdec5361ad403a1b18302a09118a6d77d094a352a0f447124d330cabd32614cda991f8b8c49564d76ad79d15351f3dc7fefacc2844e9cacb3fac02a4446

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0804301.exe

MD5 62a2a033df8d6b0efd4785d8151ca5e6
SHA1 89ef183e30ab562c6f983ea141a06f9e516b3766
SHA256 e33615d7f40aa701bf3feb1d23fa957577eeeb94aa1d159cd083aefa7fd25831
SHA512 5d80d13061b90fa39d74f91daff86d616aeeeab00dc0d84479fb23ef5b3c033eac6317e04fce059914a9eeff7fcbf7a60d8883391306efe72bf481388bc3546a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7422529.exe

MD5 ba1b64c55ee989a9ca943f1f3c7108c0
SHA1 3323f81066af9891744bec44d1b252dc4f4e7b65
SHA256 d0e82f954716f633db2ac05d91c7184f4d4178984138f7e8a6d5d9b70098f62f
SHA512 9d9c63bdf83a6215c1ce6106b81392fca791b6f828c126c0bbf0f442e361a9fe655a0d716a025d3437a1d7eb4614df902ad6750bdd7d20c00dd0c0b9bb42f0df

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5806735.exe

MD5 bd7841c4f392bcbf978eb6ee5f0ef46a
SHA1 71bd6a58bb2326a52a5a2b416bf9f768a4c9014e
SHA256 600bb9dfbcdb02b240767fea0c42ee860676ad6ff9b8fc236ccf63fc4b1d7902
SHA512 65deaf754146b1368ee12ce9344fc29b5632cfb7f74f776fd67813d95438ba5ac53051be38aae6ea1d96ea027121794d7ffa16c38b392820e037313df42cb866

memory/1940-36-0x00000000025B0000-0x00000000025CA000-memory.dmp

memory/1940-37-0x0000000004DD0000-0x0000000005374000-memory.dmp

memory/1940-38-0x0000000002940000-0x0000000002958000-memory.dmp

memory/1940-40-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-64-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-62-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-66-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-60-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-59-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-56-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-54-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-52-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-50-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-48-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-46-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-44-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-42-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-39-0x0000000002940000-0x0000000002952000-memory.dmp

memory/1940-67-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/1940-69-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6927975.exe

MD5 9cfa1e4258a162917e818a73c5395721
SHA1 c11d6f1974b94896b3278fdc5af03755cd34df2a
SHA256 9e09af7258dfd77290db785c5e6ce606999c09987da93e7e71e6cd656f5d5306
SHA512 1bf8657f1f2dd8f99b434ce53b9b59541b345be3fe701973b66dbbb1f07452a52b338a97992b82dca85add1cb4a5ce03bff23fe01bd400e5388ebd0f158e0c6b

memory/3176-73-0x00000000002C0000-0x00000000002E8000-memory.dmp

memory/3176-74-0x00000000075B0000-0x0000000007BC8000-memory.dmp

memory/3176-75-0x0000000007020000-0x0000000007032000-memory.dmp

memory/3176-76-0x0000000007150000-0x000000000725A000-memory.dmp

memory/3176-77-0x00000000070B0000-0x00000000070EC000-memory.dmp

memory/3176-78-0x00000000044C0000-0x000000000450C000-memory.dmp