Malware Analysis Report

2024-12-06 02:58

Sample ID 241110-cgr5saxbkm
Target 6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211
SHA256 6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211

Threat Level: Known bad

The file 6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:03

Reported

2024-11-10 02:05

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe
PID 1240 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe
PID 1240 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe
PID 3588 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe
PID 3588 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe
PID 3588 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe
PID 3588 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe
PID 3588 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe
PID 3588 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe

"C:\Users\Admin\AppData\Local\Temp\6b87a48bd7a130c43fdf3390582db41b28339ee8d5201cb1f72a4e65cedbc211.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un672531.exe

MD5 2195191162d325a618aa7cfb4e6d0298
SHA1 76be212ec356351bb0637366ad48da1729219b66
SHA256 de90469521a3f478d4a326ec94a7fb912959141f9692520c870c11952f5d0489
SHA512 afaa304235455c01da7c192dab96b4bfe91566ae34130f0fa76a701554d60b2cd97acf75ac041d6749488c22870bd3089038dfbd31126c52522e3bbcd9d2bdc2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr940122.exe

MD5 cfe96dde6c818933cfa69bc207e9bb75
SHA1 1f1f5b77e9d5f88527a6ae153ed9bd43b51e8488
SHA256 9728b91aeaef0da19291e574861f2d1065fba20aacca605feb8122b4829ec5c7
SHA512 fe5b9213e77b9ec2e9d651295d2bacc5413270c1daf0c719258c23001a760fea4434a907ffbbc5edda8f0c08a8fc08c17e55b2dc494ffcd155fc4a045b01ba72

memory/404-15-0x0000000002D40000-0x0000000002E40000-memory.dmp

memory/404-16-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/404-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/404-18-0x00000000048A0000-0x00000000048BA000-memory.dmp

memory/404-19-0x00000000073F0000-0x0000000007994000-memory.dmp

memory/404-20-0x0000000004E10000-0x0000000004E28000-memory.dmp

memory/404-21-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-48-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-47-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-44-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-42-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-40-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-38-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-36-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-34-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-32-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-30-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-28-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-26-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-24-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-22-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/404-49-0x0000000002D40000-0x0000000002E40000-memory.dmp

memory/404-50-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/404-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/404-51-0x0000000000400000-0x0000000002BB1000-memory.dmp

memory/404-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu889702.exe

MD5 9b48df3d36c431ff86f409ed9f19e2a7
SHA1 f83e08068ac547cc46e1e468a6c7d3a8c45a8310
SHA256 4b9b03c5efce01555d02c2d7239fe48b461d6bff027a57f9dda6decf67566090
SHA512 159b737d2d60042dbe2620ad28b20e08b267c177f482229ad62ebb6a57016f0f1eed6c31f3b85dd3f4081635b8edef8b6d3e71190894595ed0c871cfe46c3544

memory/404-54-0x0000000000400000-0x0000000002BB1000-memory.dmp

memory/2852-60-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

memory/2852-61-0x0000000004D80000-0x0000000004DBA000-memory.dmp

memory/2852-67-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-75-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-73-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-71-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-69-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-77-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-65-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-63-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-62-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-95-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-93-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-91-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-89-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-87-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-85-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-854-0x0000000009D20000-0x000000000A338000-memory.dmp

memory/2852-855-0x000000000A350000-0x000000000A362000-memory.dmp

memory/2852-83-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-856-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/2852-81-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-79-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2852-857-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/2852-858-0x0000000004A50000-0x0000000004A9C000-memory.dmp