Malware Analysis Report

2024-12-06 02:59

Sample ID 241110-cg6ceaznam
Target 24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60
SHA256 24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60

Threat Level: Known bad

The file 24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Detects Healer an antivirus disabler dropper

Redline family

Healer family

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:03

Reported

2024-11-10 02:06

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3780 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe
PID 3780 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe
PID 3780 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe
PID 2968 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe
PID 2968 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe
PID 2968 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe
PID 4764 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe
PID 4764 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe
PID 4764 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe
PID 544 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe
PID 544 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe
PID 544 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe
PID 4468 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe
PID 4468 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe
PID 4468 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe
PID 4468 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe
PID 4468 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe

"C:\Users\Admin\AppData\Local\Temp\24c8c4215809438956aa2fcdfa0eca28aba0325a18a2222df4a8a032b90f9d60.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki780371.exe

MD5 b7282d670a66878cd335d0b7b2b8d953
SHA1 fbc4ef8998feb736bde8bb1c8ba8d405d30fa161
SHA256 861e66e0a132feb7c05ca2b5d853cd343032084b7d302932df0169d555bea771
SHA512 0ed03d73bbd869714463397e3dce6135da2f56f4f9136a674ff5f182d7984ca36c4128ba03c739d85c3ee7bf3fa3b70166c69c0ef7167ed17f9420b0aba4841b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki232969.exe

MD5 9e3511593aeb063bf9d1ffe13a7c3a28
SHA1 ef9e249f6ba3542634532a0a3e60e2fabca7532f
SHA256 5bc985ab7356846500c86bac068c6d2dae27040c4f922881a85061c0b8988f42
SHA512 1b725e53d53f686cbaca3a43cb65e5110476cf70552af2ca61d8bc2a6e4e6e0bef57d54c2a40e68d30d275105309082f597877f3be127ac400cef4f6f7b0ab84

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki736761.exe

MD5 e74fce2d47d3869cee9bba5e41e89ccd
SHA1 9ba3c2839719375da452ea3280b2dff89fd952b0
SHA256 4669ccd3bc9cf50738547c2cb2788c8f1af801f81a91366a5b80d65ae4aa284f
SHA512 da681230917e1db30071eee13366920dd4fb80b7123b12815ddec7f6cd15fe29f478fca0cff84b66138280a396bd6229b24bba10d3f16b0d3184836b70a0f343

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki679072.exe

MD5 7d1a9b227b196e899a531578e6e9c43c
SHA1 bc503aeaa7099a7989361a7a509f31b96c8bbd62
SHA256 a1d97b4f26e3b12632d63931c44890171555d367c495d4207769d37cf6ca7b12
SHA512 554d665c47f6ce13cdd5cdb85d73ce1d48cb72b15f9eb6197ca6c2af2b29469a3e0ee015831660452abe46978c5e779f185e377b9fb18137e1b76ccf88f84c05

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az402257.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/388-35-0x00000000007D0000-0x00000000007DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu265056.exe

MD5 1c4231cb6bfc9c051f91cb4b142a99ae
SHA1 450fd0c80ba80382a1289de0a4f0c61403bd9f0e
SHA256 c9de51fc99f6ae1fa778b721b6aceec4353bcbc746dff7afa1b48a98b0de9e62
SHA512 5695c2694f80035329a515f3f0a910eaca4a1b66d06f14b93c132bd4cf00e982ce957907a91757330f7fcc7a0cb4898a01c583ed7d4067d3530c2413dc4ce937

memory/4296-41-0x0000000004D20000-0x0000000004D5C000-memory.dmp

memory/4296-42-0x0000000004EB0000-0x0000000005454000-memory.dmp

memory/4296-43-0x0000000004DF0000-0x0000000004E2A000-memory.dmp

memory/4296-55-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-47-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-45-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-44-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-79-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-107-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-103-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-101-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-99-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-98-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-95-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-93-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-91-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-89-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-87-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-85-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-83-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-77-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-75-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-73-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-71-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-69-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-67-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-65-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-63-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-61-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-59-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-57-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-53-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-51-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-49-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-105-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-81-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4296-836-0x00000000078E0000-0x0000000007EF8000-memory.dmp

memory/4296-837-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4296-838-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/4296-839-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/4296-840-0x0000000002840000-0x000000000288C000-memory.dmp