Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-ce42kazmfm
Target 2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31
SHA256 2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31

Threat Level: Known bad

The file 2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:00

Reported

2024-11-10 02:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe
PID 4508 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe
PID 4508 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe
PID 2964 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe
PID 2964 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe
PID 2964 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe
PID 4528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe
PID 4528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe
PID 4528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe
PID 4528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe
PID 4528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe
PID 4528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe

"C:\Users\Admin\AppData\Local\Temp\2417a8e814cee5d7dbd299025639d3fd98bf708b309c2e47bca8b8c4e450aa31.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un399513.exe

MD5 bbec4c4b031421c917e2b28b7d83e09a
SHA1 d2c8e7bf05c05d3a230a3f29086f479e7242fe7f
SHA256 d4480d6a9599a51bf6e250e081ad0de54503a189e518c0b0c5b6a308f2f336d9
SHA512 4cc8e2381d204a601c2031de3e975a5d15301e628149d8631c7742ac3356c3eaf2f047c1abdbee4118b58105d5dcc34a0c1a190e27af7eb558aeff83cfe70154

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un197569.exe

MD5 886c19f67c9c642f5683afd778374842
SHA1 fd5fc66c9af0ec38b7810a090719099cb9db4d5c
SHA256 07c7e0cc2829eaa6296c50921e311174d4da226f339e85d47d3f6eee724f397a
SHA512 a5784c411f063dc91551e99709465552398ce00222521f368f2cd7ddfdd4f1421c61b16e30fef1488ffb86fd1354fe363c8595f6b03ccc2460315ca9d3fe089d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr397687.exe

MD5 8284f4f6fa402ced9ddb6bcf04b0ae28
SHA1 9236c2ff982b93dbc229c59bba71f87fcace5acb
SHA256 4baa89759582feee441604930e16325a8b3dc4a692ba6b373ef7446760820def
SHA512 9371b15ef214240c017cbcc67a57fcc5e874fb4f09b6412b9993db949b3c3d460cda5b9b91a0560b46de6099f110c189945dc52ccf3cc7c35da816a66ba346d5

memory/2904-22-0x0000000004780000-0x000000000479A000-memory.dmp

memory/2904-23-0x0000000007460000-0x0000000007A04000-memory.dmp

memory/2904-24-0x00000000049E0000-0x00000000049F8000-memory.dmp

memory/2904-40-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-52-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-50-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-48-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-46-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-44-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-42-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-38-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-36-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-34-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-32-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-30-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-28-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-26-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-25-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/2904-53-0x0000000000400000-0x0000000002BB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu246166.exe

MD5 4ee096d45f139878bb56b291ce209ad7
SHA1 12b27029c55cd70c81e1ce707378c38c90a954aa
SHA256 301c1da7583c8b2be0d6b9cf1f0d48db6899d835fe86160834e187e703172ab7
SHA512 90982ff357128ab7d2c1d961849b9050cf038433b25adc7c0ea2986ff38f8338cf6272cbf9c263639c9214d68a42d44d5d13b733a9d21c287a0465447db9b1da

memory/2904-55-0x0000000000400000-0x0000000002BB4000-memory.dmp

memory/2028-60-0x00000000048D0000-0x000000000490C000-memory.dmp

memory/2028-61-0x0000000004DB0000-0x0000000004DEA000-memory.dmp

memory/2028-65-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-73-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-95-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-93-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-91-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-89-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-87-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-85-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-83-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-81-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-77-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-75-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-71-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-69-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-67-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-79-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-63-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-62-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/2028-855-0x000000000A350000-0x000000000A362000-memory.dmp

memory/2028-856-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/2028-854-0x0000000009CF0000-0x000000000A308000-memory.dmp

memory/2028-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

memory/2028-858-0x0000000004A80000-0x0000000004ACC000-memory.dmp