Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-cd3r4sxckg
Target bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415
SHA256 bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415

Threat Level: Known bad

The file bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Healer family

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:58

Reported

2024-11-10 02:01

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe

"C:\Users\Admin\AppData\Local\Temp\bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe

MD5 026b01e6e137f2c4265ec0cfa582a5d5
SHA1 01a161497ddebd255e7de3e16486a78bfc649d8b
SHA256 b2cd976f7604c2de3e80da55750459e34942ed924fb75bba69ba4a721132234a
SHA512 8982e15fc82f2bdd1278a56a322ad9a1f419280a44652fd4fd5c2fa3d8c871ceba02d760f3c31be48d0a7ccbc4c6c203d96f73691e3ffd3a4f94ef92474af141

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe

MD5 8ae9a28dc8e090b3f455032427e65a99
SHA1 07f120d19ec3522a9ff8ec35237d748cda1b8450
SHA256 34a987981c8737cd20c925ab2ed8df0e4977acfcf12d5432c3118cd9af7f2a05
SHA512 a192629f7f4e1136b7703c20ef3b23091f3d79e5732d870518b51167bf08ae654b64617b3ba08265c6b159de1a6fbfb0f4579292fbd07acd65144fa4c3653fd5

memory/1416-14-0x00007FFB9FF83000-0x00007FFB9FF85000-memory.dmp

memory/1416-15-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/1416-16-0x00007FFB9FF83000-0x00007FFB9FF85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe

MD5 d764ab131a147f5e5f337603e0349c8a
SHA1 28580698fecdefa59fe0f8645563663f38c0399e
SHA256 9c3b79afa761db065fcae65b0fdd1b08f2e253740033f7767d9985826e92bcd2
SHA512 4f5a3fc6e69c2ab636d21db2bba34b16f1f20c97391753a0a6bcc36080efe386013647c28bc676c53156a384d0ce2717df1e91e42f5fecd1e661caa4766ec3bd

memory/228-22-0x0000000004C40000-0x0000000004C86000-memory.dmp

memory/228-23-0x0000000007260000-0x0000000007804000-memory.dmp

memory/228-24-0x0000000007160000-0x00000000071A4000-memory.dmp

memory/228-52-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-62-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-88-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-84-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-82-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-80-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-78-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-76-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-74-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-72-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-68-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-66-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-64-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-60-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-58-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-56-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-54-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-50-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-48-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-46-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-44-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-42-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-40-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-36-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-34-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-32-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-30-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-86-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-70-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-38-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-28-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-26-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-25-0x0000000007160000-0x000000000719F000-memory.dmp

memory/228-931-0x0000000007810000-0x0000000007E28000-memory.dmp

memory/228-932-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/228-933-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/228-934-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/228-935-0x0000000008110000-0x000000000815C000-memory.dmp