Malware Analysis Report

2024-12-06 03:00

Sample ID 241110-cga69szmhk
Target 7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba
SHA256 7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba
Tags
healer redline stek discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba

Threat Level: Known bad

The file 7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba was found to be: Known bad.

Malicious Activity Summary

healer redline stek discovery dropper evasion infostealer persistence trojan

Redline family

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:02

Reported

2024-11-10 02:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFy3405vA.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFy3405vA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tud11XO16.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tud11XO16.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba.exe

"C:\Users\Admin\AppData\Local\Temp\7ab435a8e3b22164b83c26cc846cbd369b1631df08dbba7cd1ce4e0a38ce17ba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFy3405vA.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFy3405vA.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tud11XO16.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tud11XO16.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 melevv.eu udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFy3405vA.exe

MD5 8b6a4e856ed8891a75ed90dc4c6f648a
SHA1 0b428fde7b084d32c6b9f0271fdc74a2330ac1af
SHA256 4ecf23a9e5093ad874ccea49b28c64cdcf81e646bef02744628fc9e0e5e3b275
SHA512 78982010bd142081b537c16b3c375cd5ed2a61788560e0d7ceb149e64bc24136aa49a599356f362e8c0411300fa6a8ec8af929ee08101a7f0738cc92393be123

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35Gb15oR13.exe

MD5 9b78b7e4cefa0f2514f203dd98dba22f
SHA1 c32477bf3efa86a61ab376ab63b0b049a2d5a869
SHA256 101ae08e45a7b4f0687f38de1bd3a1a37ecf4d333c677817b3c4b2600ac1c6a1
SHA512 d455690fb68aa891fbdb20fcfc610369ac6296127b68d8fed618cad5aed3e8e4c585a67f0bbdd1385e763f1cf63c08bedfdd07b273cdea7b5b706b0a49f7a3fe

memory/512-14-0x00007FFFA37F3000-0x00007FFFA37F5000-memory.dmp

memory/512-15-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

memory/512-16-0x00007FFFA37F3000-0x00007FFFA37F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tud11XO16.exe

MD5 066b5456cc754c4c01232eb5f6528b57
SHA1 a530c7bbf3cda6f6edf3d5b210a43630d3828f40
SHA256 b428258fc52be23096aa6c4e68251e60514dedcd2ee8a4cdca2f60d3f55a1630
SHA512 09ac6e0aa74919ee2321b79f267cf14baf3a8cb2bf3e589ae3b764af1e7ce495bea67c9ebcfcbb92ac4b4c3d8557052a1c979066138f0c4439a8c4d5e38878d5

memory/2044-22-0x0000000007240000-0x0000000007286000-memory.dmp

memory/2044-23-0x0000000007370000-0x0000000007914000-memory.dmp

memory/2044-24-0x00000000072E0000-0x0000000007324000-memory.dmp

memory/2044-88-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-86-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-84-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-83-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-80-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-78-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-76-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-75-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-72-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-70-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-68-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-66-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-64-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-62-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-60-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-58-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-56-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-54-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-52-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-50-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-46-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-44-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-43-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-40-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-38-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-36-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-34-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-32-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-30-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-48-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-28-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-26-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-25-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/2044-931-0x0000000007940000-0x0000000007F58000-memory.dmp

memory/2044-932-0x0000000007FE0000-0x00000000080EA000-memory.dmp

memory/2044-933-0x0000000008120000-0x0000000008132000-memory.dmp

memory/2044-934-0x0000000008140000-0x000000000817C000-memory.dmp

memory/2044-935-0x0000000008290000-0x00000000082DC000-memory.dmp