Malware Analysis Report

2024-12-06 02:57

Sample ID 241110-cgn35axcqb
Target 3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758
SHA256 3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758

Threat Level: Known bad

The file 3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Healer family

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:03

Reported

2024-11-10 02:05

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe
PID 2012 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe
PID 2012 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe
PID 1888 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe
PID 1888 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe
PID 1888 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe
PID 996 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe
PID 996 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe
PID 996 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe
PID 996 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe
PID 996 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe
PID 996 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe

"C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1036

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe

MD5 1893b9b451bb8e0d8d317f90d85f5493
SHA1 84cde6c0aa16d83f394430d533d5030afe88575a
SHA256 650a7db8a7ddecb3898e026525f9ebe76e7ab4a9ce5487ee6632a89319a4ef60
SHA512 93dfd6439f99388cc41cadd83ba44cdb3df623b74030812cdfb255a727dd53cd2040c7c93909f73e0c05ae4f42179e702295ba49abc9b9080caa8b9aa03af9e0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe

MD5 d11cabe54c940b5be505e55c54d1f163
SHA1 3d61ec7b345a47083ec25189aa47df564c793038
SHA256 7e9f35469e8e4ab4e794c016e1f36953d27de56eaec39a93a79977818ae1a368
SHA512 c733fd9442418e4c59018629062cf60b924db99299d5228d4f826efbfa9629478766562257e07b5401c2766d56a00ef37dd2b711bd533918f9a721ea230ace39

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe

MD5 e83c245c8a48f18ac38182497863ebfc
SHA1 798b3fceb98199046213086eb8ce4f38fd74fe65
SHA256 7b679cabb2a4c7c01af00c44438f4ae183e78a252ba080a6e50ba5622331dab7
SHA512 33ebb0f93377808312a28894cf8fa92000b35446b9d33d2bf87ae34ee0c0062e78230b88d754040fbd7c009c55d0de11fa2c51ba0a3744af3e7e6df6484e7a75

memory/4864-22-0x0000000000890000-0x0000000000990000-memory.dmp

memory/4864-23-0x0000000002700000-0x000000000271A000-memory.dmp

memory/4864-24-0x0000000005060000-0x0000000005604000-memory.dmp

memory/4864-25-0x0000000002AB0000-0x0000000002AC8000-memory.dmp

memory/4864-33-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-53-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-51-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-49-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-47-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-45-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-43-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-41-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-39-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-37-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-35-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-31-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-29-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-27-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-26-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/4864-55-0x0000000000890000-0x0000000000990000-memory.dmp

memory/4864-54-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe

MD5 2025d9aa3e89c27c91c96a720886ffd6
SHA1 b2c9bfce6b1c13f2284eba8b8ebcc1c9e150539c
SHA256 c5bdc5740c7b3ed5496d5cb5bf6a6e48db0332e27f01ae27e7dc3047bce3fc48
SHA512 dc57d1943f206f7c551956f98f784d90f3095db8ab18fb1e51954dab35a750746b6bd6a00ddd78f34379006512743c00e370d373d5a28768ae1ea47f34cf15d6

memory/4864-57-0x0000000000400000-0x000000000080A000-memory.dmp

memory/4784-62-0x00000000027D0000-0x000000000280C000-memory.dmp

memory/4784-63-0x00000000029D0000-0x0000000002A0A000-memory.dmp

memory/4784-75-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-85-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-73-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-71-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-69-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-67-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-65-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-64-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-97-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-96-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-93-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-91-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-89-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-87-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-83-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-81-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-80-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-77-0x00000000029D0000-0x0000000002A05000-memory.dmp

memory/4784-856-0x0000000007930000-0x0000000007F48000-memory.dmp

memory/4784-857-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4784-858-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/4784-859-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/4784-860-0x0000000002600000-0x000000000264C000-memory.dmp