Malware Analysis Report

2024-12-06 02:59

Sample ID 241110-cfxc4swndx
Target a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4
SHA256 a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4
Tags
healer redline max discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4

Threat Level: Known bad

The file a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4 was found to be: Known bad.

Malicious Activity Summary

healer redline max discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:01

Reported

2024-11-10 02:04

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3248 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe
PID 3248 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe
PID 3248 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe
PID 3652 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe
PID 3652 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe
PID 3652 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe
PID 2104 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe
PID 2104 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe
PID 2104 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe
PID 3288 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe
PID 3288 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe
PID 3288 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe
PID 1420 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe
PID 1420 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe
PID 1420 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe
PID 1420 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe
PID 1420 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe
PID 1420 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe

"C:\Users\Admin\AppData\Local\Temp\a7a18c66565bbcfaaff3bad2e21f3fe0abba16d028554f286e95570f518faac4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07163428.exe

MD5 aed48dad6344e6d29d356c3cc9e0cb18
SHA1 194fa6fcb76807449aa3f254888a038c484c8e1e
SHA256 ecaf5bd51737dc5e0da230f30b6aa9255770804e4195bf91c53a3abb493d52ef
SHA512 1683d541a7e2505aa5162f15ef3e7ab9faeced27712fe383f686c7ff8ce4b1aa4c4d8b77ea53b3adf1eaf5f898c199ae83fd2329582de0aec3016df7b2eb49b7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75194919.exe

MD5 b5981161c59380aca4ff33de28de2c83
SHA1 36b24da348c80f21aa99a2af7e992ad9df608876
SHA256 34f20ad7fcca545a786deecba411d930873c4c27e47f668ee5d216fbe1c88d01
SHA512 3f2e55f0172c6dd053ecf9091dec4b62ce0a854e982797188f8c5b658a2f6fafb88497d023e3de49f9d3d91fa37c1fe876c260cbe0ade843bc9fc2fe59846d16

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67822294.exe

MD5 add569a4d6239e33a1660af86f5ee139
SHA1 16de3dacda504d2cc861b308f6d3b2d5c78da859
SHA256 ed74ce98f3e2106bcbb870ccc4bdbb319b7f65a2fe87ecd7b4e37dd33c29920a
SHA512 c25e225ed764d0ed52591e51d54211fa20e19b9548d19f801c16c93b17e07cd1335a73039a23238ce40322c275ced1fa86df2d2b9512d11ef1e533734022fbcf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i77361293.exe

MD5 3b07549815d63b339d03218fb8aaff07
SHA1 30a5f89639e9fe8e676da88af69f6ca922a4f971
SHA256 64cdf8696be29ee24c2aeb48540f915fe24f30ceff5894e4500e7c45c0d7e20e
SHA512 dac0c3dfa80a0562950d6615ee1dfd763992cb77662c0b8a63cdff78d6efc18acb76449a18014acf66e0dc3ee91a793b6f3b54ded6a3d1b48a1d664d4c0cb833

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a27523730.exe

MD5 fa19c6001f5bbb1298c2c059a31069b1
SHA1 7a58e985705dbca888a8a3d2d961e5f2e712cb4a
SHA256 49582009d982585a066ebf64ed9e93006bbc117d3ab96e5b2c6ecbb5e6e7f1c6
SHA512 def8d8799908aeb4293575765bd4c73af8be0bcc1e7e03ec1703439b881933112c503db79411c6316b489831551c5cee11aa778c688beaaeee15d6fcbd949dcc

memory/1940-35-0x0000000002140000-0x000000000215A000-memory.dmp

memory/1940-36-0x0000000004BB0000-0x0000000005154000-memory.dmp

memory/1940-37-0x0000000002540000-0x0000000002558000-memory.dmp

memory/1940-41-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-65-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-63-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-61-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-59-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-57-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-55-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-51-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-49-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-47-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-45-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-43-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-39-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-38-0x0000000002540000-0x0000000002553000-memory.dmp

memory/1940-53-0x0000000002540000-0x0000000002553000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b43711133.exe

MD5 46725a003192b49b0ef0a4f246866fc2
SHA1 ee1e9d275b341abe4356d4237aa13a982902357d
SHA256 b99bab3adf9596c734b15db52c5846aeb328863d2b4163cde7b8f24df0c4a561
SHA512 bab655ba19ed092a6edcc245c381e8d8035e952fdbc69c636f9882ad3027b5024e948963393967acfb897059478db13019ed2de2a374766bcd0ff7fb4dcb3db7

memory/4576-70-0x0000000000C80000-0x0000000000CB0000-memory.dmp

memory/4576-71-0x0000000001480000-0x0000000001486000-memory.dmp

memory/4576-72-0x000000000B060000-0x000000000B678000-memory.dmp

memory/4576-73-0x000000000AB50000-0x000000000AC5A000-memory.dmp

memory/4576-74-0x0000000005690000-0x00000000056A2000-memory.dmp

memory/4576-75-0x000000000AA80000-0x000000000AABC000-memory.dmp

memory/4576-76-0x0000000004EC0000-0x0000000004F0C000-memory.dmp