Malware Analysis Report

2024-12-06 02:57

Sample ID 241110-cgjhmswnez
Target 2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da
SHA256 2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da

Threat Level: Known bad

The file 2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Healer family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:02

Reported

2024-11-10 02:05

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe
PID 952 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe
PID 952 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe
PID 4300 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe
PID 4300 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe
PID 4300 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe
PID 4300 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe
PID 4300 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe
PID 4300 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe

"C:\Users\Admin\AppData\Local\Temp\2c04a3cf7603089e4d6866728fb763a6c7838b9abd62c75a3af349054ba223da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466351.exe

MD5 2f0848a859899db97ed07bb28a4dccf2
SHA1 09ffae3c7230539f5e6b97c3c66c0f7d9d04489f
SHA256 2c3d2117337117beb9b235cf07933eb825af6572de2d748cbd737bd562fcc911
SHA512 956ed5f06ef032a280704732de302966a2ca9368522ed1e4f4718dbc93b2714bd9079c8d68d8fbf7569136089a9c3bfd607d2cd7f24442beb0d6c31c4c8767cc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3277.exe

MD5 a5ef23595fc9a0accbd834471c3a4e6f
SHA1 15e6bb2a1fb3e36c0ba14bd468150d16d2dda8f1
SHA256 9011901b8c5170fdce4b56844611f51bdb39fedd5a68df4aa61ba8cea271632f
SHA512 6f5aa8e558788bc185c7d733e6d1468ac08740e154e7e702088d21407c4308cb284db6615e13497e4d49d7658a6fb2a349e0cbd0f74fe56e7b6442d82a627c08

memory/4224-15-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/4224-16-0x00000000008D0000-0x00000000008FD000-memory.dmp

memory/4224-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4224-18-0x0000000000400000-0x00000000007FC000-memory.dmp

memory/4224-19-0x0000000002380000-0x000000000239A000-memory.dmp

memory/4224-20-0x0000000004F70000-0x0000000005514000-memory.dmp

memory/4224-21-0x0000000002420000-0x0000000002438000-memory.dmp

memory/4224-49-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-47-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-45-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-43-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-41-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-39-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-37-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-35-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-33-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-31-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-29-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-27-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-25-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-23-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-22-0x0000000002420000-0x0000000002432000-memory.dmp

memory/4224-50-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/4224-51-0x00000000008D0000-0x00000000008FD000-memory.dmp

memory/4224-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4224-55-0x0000000000400000-0x00000000007FC000-memory.dmp

memory/4224-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2560.exe

MD5 33936482a5d58b75cc9f62e302a03e37
SHA1 bee10607397ed38f0154718973c587e2d92ab375
SHA256 cd28bff1f9cfe0532c585eb14a70a54dec6f3f6e9b8099daed4622d311203099
SHA512 271963cd8a111c9e4c20c8cddf93b477c6b86e062b0e3ed545ace52bdecdf8bb49bbf54f1d15576d32a75cb1369f150aea0ce3b5d4d62b3a87b0e1ee250a0627

memory/932-61-0x00000000027E0000-0x0000000002826000-memory.dmp

memory/932-62-0x00000000053E0000-0x0000000005424000-memory.dmp

memory/932-70-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-76-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-96-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-94-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-92-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-90-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-88-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-86-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-84-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-82-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-80-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-78-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-74-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-72-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-68-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-66-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-64-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-63-0x00000000053E0000-0x000000000541F000-memory.dmp

memory/932-969-0x0000000005440000-0x0000000005A58000-memory.dmp

memory/932-970-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

memory/932-971-0x0000000005C20000-0x0000000005C32000-memory.dmp

memory/932-972-0x0000000005C40000-0x0000000005C7C000-memory.dmp

memory/932-973-0x0000000005D90000-0x0000000005DDC000-memory.dmp