Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-ce738awncs
Target b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31
SHA256 b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31
Tags
healer redline maxbi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31

Threat Level: Known bad

The file b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31 was found to be: Known bad.

Malicious Activity Summary

healer redline maxbi discovery dropper evasion infostealer persistence trojan

Healer family

RedLine

Redline family

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:00

Reported

2024-11-10 02:03

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe
PID 1560 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe
PID 1560 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe
PID 1104 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe
PID 1104 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe
PID 1104 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe
PID 1556 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe
PID 1556 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe
PID 1556 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe
PID 1608 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe
PID 1608 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe
PID 1608 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe
PID 1608 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe
PID 1608 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe
PID 1608 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe

"C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe

MD5 73afb85fae32c8efbaa1783c832b4492
SHA1 e6901e7cd0f2344d5972a088e185a7d6c1e4fccf
SHA256 e9b44e280c080fe0af2d2718c3e860933e5ff441e3bfb08c70b7149f5274a2ba
SHA512 0958561c634381ae7da1abbc521083886909e6ffa03182ef8572e71a7078f877b5e71bcaa5038ef032111a587259d2785fcd6d1a3c438930114607cc54b9d736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe

MD5 1556ede41262cb667cdd144724ffe32f
SHA1 2f6dc3ff32fb786bdfe71866de03ae47795d4736
SHA256 fd63f1b65ecb3589171d98f90ea8b72c01f6a7c16224a510c908ccdc1f7cda7b
SHA512 93df7bfb1ebd7f515a334e52af0a7d849f2542d545211bcbb1206f2fab63a3522e08d27addb4692b5aa1621a17da3389ecae83b61193653cd286b3d5018c64f8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe

MD5 dc1be587279a42bf105b2afdca794eef
SHA1 86c841b826435d5c2609d3cc62fa7ffe547e919e
SHA256 3990111324bedbc8ec76338862e8101c79e622a086cea603ff373984bb5951b3
SHA512 33f4366bc9ac6a71ef99560a73f2518fa8599c70f0976bb6a33f27d61381fa9fb5be101959130188cf0a819ebbee30bf17ea9a0cc901075b43b0589904663970

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe

MD5 5136724944e0d1aac02d2f68ea738433
SHA1 1dba2353d3ab9dcdaad971c0c34405e0f4eeeaa7
SHA256 18748152ba6ca527cef70a9350fa195815b21e24a5c0b094c599444aae6aecc3
SHA512 756b6e168b07c295ea49af943c1e69638cb7819be9364e74ea8c7a443100e00642ee2875ff855c7925330d157f914299f93c0e0cdd29c692deb142b8edfef900

memory/4444-29-0x0000000002310000-0x000000000232A000-memory.dmp

memory/4444-30-0x0000000004E50000-0x00000000053F4000-memory.dmp

memory/4444-31-0x0000000002840000-0x0000000002858000-memory.dmp

memory/4444-51-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-57-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-59-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-55-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-53-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-49-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-47-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-45-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-43-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-41-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-39-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-37-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-35-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-33-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-32-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4444-60-0x0000000000400000-0x00000000006C9000-memory.dmp

memory/4444-62-0x0000000000400000-0x00000000006C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe

MD5 80b420b99ba9bd4f5b05d6b161012027
SHA1 2f13e860262c89578fcda655f61decf8e2194ae5
SHA256 8570647c7f7141f916f30b20cd83e26cc64662b399c6d21b3adc93bda9ead09f
SHA512 000a5954e227a68bf554023d344f838bdd98f16819ec2904488cb0ecc3c792e9f6dcc64e78cd7409e80abeb824aecd2f97820bedadd3dac494e3d7ed194816e8

memory/4244-66-0x0000000000A10000-0x0000000000A40000-memory.dmp

memory/4244-67-0x00000000051F0000-0x00000000051F6000-memory.dmp

memory/4244-68-0x000000000AD40000-0x000000000B358000-memory.dmp

memory/4244-69-0x000000000A880000-0x000000000A98A000-memory.dmp

memory/4244-70-0x000000000A7B0000-0x000000000A7C2000-memory.dmp

memory/4244-71-0x000000000A810000-0x000000000A84C000-memory.dmp

memory/4244-72-0x0000000002B60000-0x0000000002BAC000-memory.dmp