Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-cdpv9awmgy
Target 73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc
SHA256 73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc

Threat Level: Known bad

The file 73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:57

Reported

2024-11-10 02:00

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe

"C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe

MD5 6f1176c5e1d945e7624a6568377e98fa
SHA1 665fd53298efe4f4ac750254c17e53440f56cbb9
SHA256 e1f2a9336395ae706cd8db604b38aa069f62fe6f08d2ab6a7439f00f445902ee
SHA512 8802ec6a56bef5e6089768b7413a1ae40ea3df3b6e19464e840128d74151ef73f3e8df630e9991a06d4e307d0e66543fa3edd4c865afb9182e59661c2a3178ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe

MD5 8a8fc8960fa86c89634f07b1f4350809
SHA1 938652caf06e0b4aa9867279dfa133ab647d23ed
SHA256 0de60bf1fdef3af1bebbfd8c355a1252136e7b68da1c66364948195dfc20a5df
SHA512 f593348a4233bb3b17bfe2730867b2ccf73bec022f5417c6a383aacf729f9c2efbaf6196f1bfde79a03218c613fec417ef7d74dad05bd80a417676f6d5c9ce8d

memory/2216-14-0x00007FFC59F03000-0x00007FFC59F05000-memory.dmp

memory/2216-15-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/2216-16-0x00007FFC59F03000-0x00007FFC59F05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe

MD5 8543cf3384382f56703a6ee451ac68f3
SHA1 353211899c2c986e0d038a11f566e02e3113e113
SHA256 2f1d315d7594bdb561cc82a3e1893703535688dff362e547d1e0ce98362c0acf
SHA512 609055d116696778d46331609f81697e5b01e34bc70e3ddbd9a27a23f5024ed37902c38ee329e05c29e06422e9352ebb266e9f260cafad9e20f2b262248f4186

memory/3184-22-0x0000000004B30000-0x0000000004B76000-memory.dmp

memory/3184-23-0x00000000072B0000-0x0000000007854000-memory.dmp

memory/3184-24-0x00000000071B0000-0x00000000071F4000-memory.dmp

memory/3184-28-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-26-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-25-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-42-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-88-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-86-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-82-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-78-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-76-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-74-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-73-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-70-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-66-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-64-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-62-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-60-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-58-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-56-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-54-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-50-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-48-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-47-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-44-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-40-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-38-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-36-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-34-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-32-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-30-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-84-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-80-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-68-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-52-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/3184-931-0x0000000007860000-0x0000000007E78000-memory.dmp

memory/3184-932-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/3184-933-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/3184-934-0x0000000008000000-0x000000000803C000-memory.dmp

memory/3184-935-0x0000000008150000-0x000000000819C000-memory.dmp