Malware Analysis Report

2024-12-06 02:59

Sample ID 241110-chcfqaxbln
Target 99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32
SHA256 99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32

Threat Level: Known bad

The file 99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

Detects Healer an antivirus disabler dropper

Healer family

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:04

Reported

2024-11-10 02:06

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe
PID 3024 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe
PID 3024 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe
PID 1376 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe
PID 1376 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe
PID 1376 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe
PID 4904 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe
PID 4904 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe
PID 4904 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe
PID 1108 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe
PID 1108 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe
PID 1108 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe
PID 3408 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe
PID 3408 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe
PID 3408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe
PID 3408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe
PID 3408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe

"C:\Users\Admin\AppData\Local\Temp\99571d2f823867703f59e07d5a20b050c371911141173f9a6b5998290b9dca32.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ05eV15.exe

MD5 c8280b91f6f519db223708fde413b4e6
SHA1 59dead7b7b1976ee3a6454bb11a875b5a67741d0
SHA256 4a894493874a5e90f443691c3c71bc3fd7c61da913e1a81f0ed9af10dfcf1dc4
SHA512 e631f61894bf127bda4084313fa830922ed9a5eb852720567a0cc63e6414e138d1bcc972027ba8813fe4e0dac5e15a2fc3cf37c881f74fd7e89603669747ff1e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plIM43CF88.exe

MD5 ce0dedd4fe75fee8f5f35c8bed9db9d1
SHA1 9d43bea12fda65f8623c8dd080aefb3d0d535758
SHA256 2247ab405a5bac56f64da1799675e8649ac28199e7ebf56be19de909e168d556
SHA512 69c440fcc1f9a632ea22af06abd25588a756e7f962b586a5f9e259fa5ecc80ba3879581cf10f307dfd2c386bf43db24c92e93c8e96fa894ed33c5a46faf79ef9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEU55eV58.exe

MD5 51b100472ad7feffdbfa30cb98011f9f
SHA1 dd15221fa918b2b24f7e4d1d32f864c0b2c7c93b
SHA256 33723a381db117813380c5e40bc058ebbc44be4007ea471f4d6b5fdf46c66d4b
SHA512 379f01f25900b2027f0ca9c3c5a84055e0edd2918f51e7e7616a079e111d73ec31ef8ba27a4f6063e8e447f9b23c849d4783bf939656d110addbb1b9550c4a9c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plip21tD64.exe

MD5 0bda1546d96822584cf08c628f62833d
SHA1 d63e578ab7ceb44a62eb6ad345cbec272b9c06bb
SHA256 45e4abf3fa5e4b6875344111d775abf0c05edf253a7e88c56c72b995fcf03de7
SHA512 cf2e7524ed61ac6cac70236e417aca2eebc98277e6ea9154443dced47aae131a3fd85ddbf3c8d14f2dd77ac0897edfc42cd6fc0ba42d6c168afa58f868976692

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bura10iA69.exe

MD5 a7d2284c77e47728c82d80b1425f53ab
SHA1 48d9e8943d8a70a845afe268c3ad992d97553c2c
SHA256 39af6f114c27c15b1043d489893bc06cbb5ce6e7ba36f1f91eec24a8c880135b
SHA512 2e9196322df3fcd70068e1575e2327f453e1d881c71e65e0cd46fa269591fd05e372eb933411e50a88dd1412464852fdd9e474281033a03e2733394aa8b82f8e

memory/3680-35-0x0000000000510000-0x000000000051A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caxq25gh78.exe

MD5 3f9a7dfc803e1ca1f5063b46046bb80d
SHA1 b58fc19b2eb569e8298cbe9c0723eb6dc7b27b57
SHA256 a1740aa08ca787a2f48c5965ea1125c761a27d0319e540175f1977750ee9cac2
SHA512 2037c20bf9729196383dc744ed2172fb646aa2ec07a6a90bfb3b9687805c003ad0e5441248b28433461f449035a9bbf6edd5d04443268e611f62b1f8d10a40cb

memory/1920-41-0x0000000007110000-0x0000000007156000-memory.dmp

memory/1920-42-0x0000000007260000-0x0000000007804000-memory.dmp

memory/1920-43-0x00000000071A0000-0x00000000071E4000-memory.dmp

memory/1920-57-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-55-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-53-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-51-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-81-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-69-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-49-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-47-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-45-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-44-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-107-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-106-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-103-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-102-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-99-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-97-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-95-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-93-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-91-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-89-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-87-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-85-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-83-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-79-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-77-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-75-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-73-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-71-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-67-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-65-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-63-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-61-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-59-0x00000000071A0000-0x00000000071DE000-memory.dmp

memory/1920-950-0x0000000007810000-0x0000000007E28000-memory.dmp

memory/1920-951-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/1920-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/1920-953-0x0000000008000000-0x000000000803C000-memory.dmp

memory/1920-954-0x0000000008150000-0x000000000819C000-memory.dmp