Malware Analysis Report

2024-12-06 02:57

Sample ID 241110-chnhzsxbmj
Target 3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3
SHA256 3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3

Threat Level: Known bad

The file 3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Redline family

RedLine

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:04

Reported

2024-11-10 02:07

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe
PID 1196 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe
PID 1196 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe
PID 2072 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe
PID 2072 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe
PID 2072 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe
PID 2072 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe
PID 2072 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe
PID 2072 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe

"C:\Users\Admin\AppData\Local\Temp\3a741e8922f7659cbf9393c550ea5fb72b5f213455d9fd136db40c7fa10224f3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 920 -ip 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996137.exe

MD5 b8966a8f1bf383cf848ee8be649fa902
SHA1 79ae662d8b260aeb25a69045868d35a5b0bda95a
SHA256 bffb7f0fb1ee5e93b8e70e720645f539b8a6b834e78dd403b2c650b168200503
SHA512 0e4c7373950ae1a74142c55e3e2388b6cb0710ba4172dca04a0c9ff71b8cf4cfb75d7c97c5c3386ef3199b4b4287c9c54a832bb84655b6a4e9febd58122a4342

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr732505.exe

MD5 89ba8c77cefb82ebab078459c37df4c5
SHA1 f4f59a0aef6ec8655b8742a693a6bc980d10cbbd
SHA256 c12ec5b65e5ea9155b5e9b873186a7766ee0c797ea3b1b9bd00b149df8fe48dd
SHA512 497f7c9e06c640cc81dc02d7654f5ca56fd84ca90064225e07e20b794ffc6f5f8650fd9c4908687c051bc5b2da19f56022cdb4873655b527c3f1160e45bce304

memory/920-15-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

memory/920-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/920-16-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

memory/920-18-0x00000000049A0000-0x00000000049BA000-memory.dmp

memory/920-19-0x0000000007220000-0x00000000077C4000-memory.dmp

memory/920-20-0x0000000007150000-0x0000000007168000-memory.dmp

memory/920-21-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-30-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-46-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-44-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-42-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-40-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-39-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-37-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-34-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-33-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-48-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-28-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-26-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-24-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-22-0x0000000007150000-0x0000000007162000-memory.dmp

memory/920-49-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

memory/920-50-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/920-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/920-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725795.exe

MD5 874d8d891937bc946e04623bce742865
SHA1 aacf9a5afc9f1ebf5e2dba821ee337875bfaab4f
SHA256 d0964f60851d692c1d4472805e2832ec90b2a35bae6fe9c3500d74f8775f1628
SHA512 15bb1d1613fcb99aab33269143934836f3b5f1a6fc41648cb4f765af98ae7bfdd10bb9921634720ba518cb5782df6a024e7a2fde7099f79e0834de046b0a53e3

memory/920-53-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4848-59-0x0000000007160000-0x000000000719C000-memory.dmp

memory/4848-60-0x0000000007790000-0x00000000077CA000-memory.dmp

memory/4848-62-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-86-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-94-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-92-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-90-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-88-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-84-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-82-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-80-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-78-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-76-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-74-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-72-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-70-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-68-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-66-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-64-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-61-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4848-853-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/4848-854-0x000000000A350000-0x000000000A362000-memory.dmp

memory/4848-855-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/4848-856-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

memory/4848-857-0x0000000006C60000-0x0000000006CAC000-memory.dmp