Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-cdltlawmgx
Target ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a
SHA256 ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a
Tags
healer redline dona discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a

Threat Level: Known bad

The file ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a was found to be: Known bad.

Malicious Activity Summary

healer redline dona discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Redline family

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:57

Reported

2024-11-10 02:00

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9063963.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe
PID 2372 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe
PID 2372 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe
PID 4608 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe
PID 4608 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe
PID 4608 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe
PID 4608 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9063963.exe
PID 4608 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9063963.exe
PID 4608 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9063963.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe

"C:\Users\Admin\AppData\Local\Temp\ef3f96b3e565fe8f61c36f3b4bdb9e7c23523e9916d7c3ec7b3939cd9343da1a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9063963.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9063963.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3891745.exe

MD5 dc83bfd2241972336097491b2779c8d6
SHA1 055e4e55f633e108d0976270851b8dc4074a364a
SHA256 8dc59f15e26d5d29859e35d9e77b4d18b4f7720dfd132b79915174f0eb0701e7
SHA512 ea9e0f30143994de5bfd5554c8d0c47277fbadd4b8fb17e7f04160df314dc53e9c617ff7bd33ea2bd61bd625e8d9a99be91052ea0fd2e3696b4dde39f811b2cc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7383881.exe

MD5 735ce066bad9a4c2f51109456551e31f
SHA1 b6336128780a82c226cf2e0e5b57129611a22df9
SHA256 e7ac90047a3457a52ae179cbc32d6e0480b1ee42c8deecd1cbf4ddd77501f2f9
SHA512 de4b248334a138c01d71ef7de79d36841436d406e898d58751c82f0676ede3d3247efa0c2a0f4d5d458640b6459d97391de6e331082f26964050594fe8bbd276

memory/1388-14-0x0000000073D7E000-0x0000000073D7F000-memory.dmp

memory/1388-15-0x0000000002090000-0x00000000020AA000-memory.dmp

memory/1388-16-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/1388-17-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/1388-18-0x0000000004AF0000-0x0000000005094000-memory.dmp

memory/1388-19-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/1388-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-43-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1388-48-0x0000000073D7E000-0x0000000073D7F000-memory.dmp

memory/1388-49-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/1388-51-0x0000000073D70000-0x0000000074520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9063963.exe

MD5 74a3ff3f07aa7f8e42ac7ce50becd004
SHA1 2e763c7fb972c2d688122e6928107032e8f2671e
SHA256 7e97a254fa299e384353103239227426a612a78f8760c0e728f8ec3f86aa1fe7
SHA512 c520374679db123f389a786377429c56715b258bf6c16f8a4765c961a4fd03da1a0e889f035683ed46a0bec570ee34ab0921ce30c4996c756dfd7b998c4fd7ed

memory/1692-55-0x0000000000550000-0x0000000000580000-memory.dmp

memory/1692-56-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

memory/1692-57-0x00000000055A0000-0x0000000005BB8000-memory.dmp

memory/1692-58-0x0000000005090000-0x000000000519A000-memory.dmp

memory/1692-59-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/1692-60-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

memory/1692-61-0x0000000004F80000-0x0000000004FCC000-memory.dmp