Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-cefnzawmh1
Target 08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130
SHA256 08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130

Threat Level: Known bad

The file 08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:59

Reported

2024-11-10 02:01

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe
PID 3352 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe
PID 3352 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe
PID 3032 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe
PID 3032 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe
PID 3032 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe
PID 3032 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe
PID 3032 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe
PID 3032 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe

"C:\Users\Admin\AppData\Local\Temp\08039c3a3d64834516efea538e1ec8dc0d6bd4f0ecfe9798fddf669eac948130.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954941.exe

MD5 cb079323feb9ee27865abaa01f875335
SHA1 7244dda1653d3ddc446c5a7ae284455e47ec71ac
SHA256 012ec04a5e9a07d23b951e681bc9550114cf970cc1802d0b7faeda002cf3f86b
SHA512 385c5b0de440006e2d89754828bf81d1fad563d989ba89959bfbabd7029b3df8a3ecdfd04884e20d31874064f32bbce9b69b60b34b25c07ab774b8b3fdabbc14

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr862273.exe

MD5 0a937ad6cb4e52e45ec2477662aca461
SHA1 9003c7e8a5d3dfea15a51d83650c684f176ebbd6
SHA256 7393f527944364f0136568a02edd4e349db62ecff9ad6e15d257b30e20a2cad2
SHA512 5d6fd274b913f2921f66a4da99347a1f79bddf6b145cfbf901e808851be1db022bfe8208e6524c33ea249faee608f31c6ec7e18d2700a7aeac67dfc5e5d0098d

memory/3672-15-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/3672-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3672-17-0x0000000004AA0000-0x0000000004ABA000-memory.dmp

memory/3672-18-0x0000000007220000-0x00000000077C4000-memory.dmp

memory/3672-19-0x0000000004DF0000-0x0000000004E08000-memory.dmp

memory/3672-20-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/3672-48-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-47-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-44-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-43-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-40-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-38-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-36-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-35-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-32-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-30-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-29-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-26-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-24-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-22-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-21-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3672-49-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/3672-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3672-50-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/3672-53-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/3672-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu214826.exe

MD5 202297a9155195b49be8ffd303348948
SHA1 aab0dee3ea01548e15ebd8ee29d2f3f29593c50a
SHA256 9c11d94e789c936b3f4c60cffdd43d491d88463ec3c9e6ab54e27518307f07e0
SHA512 2b2072ced9e168cf67a940a40060ac6416345e261a656dc70d58f99e417155d699c18fb8c03f61c7b2c7678deeb888e252b3a0fce8b5bfbcfa8bfc90e8db97ad

memory/4712-59-0x0000000004C90000-0x0000000004CCC000-memory.dmp

memory/4712-60-0x00000000077B0000-0x00000000077EA000-memory.dmp

memory/4712-80-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-92-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-94-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-90-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-88-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-86-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-84-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-82-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-853-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

memory/4712-854-0x000000000A350000-0x000000000A362000-memory.dmp

memory/4712-78-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-76-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-75-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-73-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-70-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-68-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-66-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-64-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-62-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-61-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/4712-855-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/4712-856-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/4712-857-0x0000000006D30000-0x0000000006D7C000-memory.dmp