Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-cemsaawnax
Target 1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59
SHA256 1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59
Tags
healer redline rouch discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59

Threat Level: Known bad

The file 1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59 was found to be: Known bad.

Malicious Activity Summary

healer redline rouch discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Healer

Healer family

RedLine

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:59

Reported

2024-11-10 02:02

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vCn6453Zi.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vCn6453Zi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tYL34Rw91.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tYL34Rw91.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59.exe

"C:\Users\Admin\AppData\Local\Temp\1722c8abae90465e3b4330baca3510eb37a345c1ced94b9d83a634c0b6714b59.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vCn6453Zi.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vCn6453Zi.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tYL34Rw91.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tYL34Rw91.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vCn6453Zi.exe

MD5 e9f8fa84cbbb1676f80217d5a6d3edec
SHA1 07bdfa13e0e4724f9c8fd6c5808e1a1de57bf377
SHA256 b2b7720bc21a3eab98f2ab94b322c52aef61d342c327d661aea335c0213afd08
SHA512 857662f5b7ae3169bc4d77eab8dc6ff4ec80bf5973a11a44317004da8174c316bee69a534a3f968383e685c366590e5fd6b8396e9f17e76a375a4f7c168756b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw64Nb20oQ35.exe

MD5 8849c6d58014323fdc478b0d1bad79d9
SHA1 1a651d78a607dc6982160fab18ea9026c08145c6
SHA256 672444102ead4e271f6036c72c19c9b23bec51aff2bcccf01bccedcca8fbbf6f
SHA512 4f3c32dab92b3fc5b553839769687f49cfef427d5363259759d434c8812b0cf6c7633427f1af976b2659629af0cbf05f7506475723660fbd109ec404d2ae9405

memory/2896-14-0x00007FFBFA573000-0x00007FFBFA575000-memory.dmp

memory/2896-15-0x0000000000E80000-0x0000000000E8A000-memory.dmp

memory/2896-16-0x00007FFBFA573000-0x00007FFBFA575000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tYL34Rw91.exe

MD5 ee88ac97f4c8afbffa2bc8f3028eb7b5
SHA1 317976a79b29df18269fd094b0f70c4239a34b5e
SHA256 24171a89bb2113a8e2e1ddd3475f6119c8fbd2d171bd04ed4345beab8c8fed04
SHA512 dafed21dc7d2b3a4daf73f12474dbc22c23f157aec0ea31313ea4619d6842fc13a896e10a70e54374ec6cf6976d61e8959fea085135665fb133e0feb3bc17c05

memory/428-22-0x0000000004BB0000-0x0000000004BF6000-memory.dmp

memory/428-23-0x0000000007260000-0x0000000007804000-memory.dmp

memory/428-24-0x00000000071A0000-0x00000000071E4000-memory.dmp

memory/428-36-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-38-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-88-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-86-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-84-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-82-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-80-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-78-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-76-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-72-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-70-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-69-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-66-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-64-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-62-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-61-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-56-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-54-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-52-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-50-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-933-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/428-932-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/428-931-0x0000000007810000-0x0000000007E28000-memory.dmp

memory/428-48-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-46-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-44-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-42-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-40-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-34-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-32-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-30-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-28-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-74-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-58-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-26-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-25-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/428-934-0x0000000008000000-0x000000000803C000-memory.dmp

memory/428-935-0x0000000008150000-0x000000000819C000-memory.dmp