Malware Analysis Report

2024-12-06 02:56

Sample ID 241110-ch78dszncr
Target 6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1
SHA256 6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1

Threat Level: Known bad

The file 6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1 was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine payload

RedLine

Healer family

Detects Healer an antivirus disabler dropper

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:05

Reported

2024-11-10 02:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe
PID 3204 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe
PID 3204 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe
PID 960 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe
PID 960 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe
PID 960 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe
PID 2584 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe
PID 2584 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe
PID 2584 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe
PID 2584 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe
PID 2584 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe
PID 960 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe
PID 960 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe
PID 960 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe

"C:\Users\Admin\AppData\Local\Temp\6ca82885f757dbe4b07d6c0f4b3e846813565594a96962c062d8cb0667fbd9e1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 984 -ip 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 1092

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6288.exe

MD5 5e298e64dcbfa865f76a25ca2112bd43
SHA1 2db9d95083d12c9d159b68cd0505a8ef92c0a39f
SHA256 3fe68fea252d0ad80eb4f0bad7c2e5c476ccdc096da9e820ccb5e0d3ef2831ce
SHA512 f490c141da63b6d3dcf91f4af7ce53bb3b72e2359dbc0c303bbefd399fc38f54f117cc31854d238986fa898eedf9977e4a793933ccbdb143d6dc1b211cc1002f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9036.exe

MD5 9b85c7f41d6a184fcead946c892a4b67
SHA1 e38767534188898ec50a7d54a77d54f1bb38826a
SHA256 1e3f3773ea6ed030026bb84ff90d4fa940dfe3a0d49235c8f20d177a75112834
SHA512 6da493108fb4ee8cc3df03146abdb7ff8c4cae19ef21945844c23aa460a9b1d0b93b4c260fb3767f972d600bc5fc74c3edcd1af79f83ecd3d9fb1f74904f9956

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9714WV.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3804-21-0x00007FFD774D3000-0x00007FFD774D5000-memory.dmp

memory/3804-22-0x0000000000630000-0x000000000063A000-memory.dmp

memory/3804-23-0x00007FFD774D3000-0x00007FFD774D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c44vK80.exe

MD5 c6aa222989b8a440a0f6e438df4c8955
SHA1 ed0fbc71763cbc226084fc83add0c3ca4783b75c
SHA256 eaec55a6038f2bcd5a2539d362ab818eb9ba2ac4482d923b10d696138bf51dd5
SHA512 1a58038340f8f19ec32f2b10196810adaf03cc987b6304d5b9d90e21cbec98140b59f62f82fa5fc18c107016f3ffe445b65aadca6f6b7352a747cb7d4cf488ff

memory/984-29-0x0000000004C20000-0x0000000004C3A000-memory.dmp

memory/984-30-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/984-31-0x00000000071F0000-0x0000000007208000-memory.dmp

memory/984-59-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-57-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-55-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-53-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-51-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-49-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-47-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-46-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-43-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-41-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-39-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-37-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-35-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-33-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-32-0x00000000071F0000-0x0000000007202000-memory.dmp

memory/984-60-0x0000000000400000-0x0000000002B05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwZmD11.exe

MD5 f9586a51979f85020ffc0224e2c86693
SHA1 899e62a9ffb7d7229a181c80fb5195fd3c70aaaf
SHA256 80df621534a15178be225e6d88679b0ef66c11646ce25ff94148aa28d78f20f1
SHA512 92989cd5fb403f801e5bb35c9afb84c56c14fb6c891101a698555810b252c15f86e45ae4d0137760fe3fc513e67b80ff576d110a019238b094de7fdeb434743d

memory/984-62-0x0000000000400000-0x0000000002B05000-memory.dmp

memory/4128-67-0x0000000007040000-0x0000000007086000-memory.dmp

memory/4128-68-0x0000000007100000-0x0000000007144000-memory.dmp

memory/4128-74-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-98-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-102-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-100-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-96-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-94-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-92-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-90-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-88-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-86-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-84-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-82-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-80-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-78-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-76-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-72-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-70-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-69-0x0000000007100000-0x000000000713E000-memory.dmp

memory/4128-975-0x00000000078E0000-0x0000000007EF8000-memory.dmp

memory/4128-976-0x0000000007F30000-0x000000000803A000-memory.dmp

memory/4128-977-0x0000000008070000-0x0000000008082000-memory.dmp

memory/4128-978-0x0000000008090000-0x00000000080CC000-memory.dmp

memory/4128-979-0x00000000081E0000-0x000000000822C000-memory.dmp